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EXAMINING ON-GOING CHALLENGES AT THE 
U.S. SECRET SERVICE AND THEIR GOVERN- 
MENT-WIDE IMPLICATIONS 


Tuesday, November 17, 2015 

U.S. House of Representatives, 

Committee on Homeland Security, 

Subcommittee on Oversight and Management 

Efficiency, and 
U.S. Senate, 

Committee on Homeland Security and 
Governmental Affairs, 
Subcommittee on Regulatory Affairs and 
Federal Management, 

Washington, DC. 

The subcommittees met, pursuant to call, at 10:01 a.m., in Room 
210, HVC, Hon. Scott Perry [Chairman of the House Committee on 
Homeland Security, Subcommittee on Oversight and Management 
Efficiency] presiding. 

Present from the Subcommittee on Oversight and Management 
Efficiency: Representatives Perry, Watson Coleman, Thompson, 
Duncan, Clawson, Torres, Carter, and Loudermilk. 

Present from the Subcommittee on Regulatory Affairs and Fed- 
eral Management: Senators Lankford, Heitkamp, Johnson, and 
Peters. 

Mr. Perry. The House Committee on Homeland Security, Sub- 
committee on Oversight and Management Efficiency and the Sen- 
ate Committee on Homeland Security and Governmental Affairs, 
Subcommittee on Regulatory Affairs and Federal Management will 
come to order. 

The purpose of this hearing is to examine failures at the U.S. Se- 
cret Service and their implications Government- wide. 

The Chair recognizes himself for an opening statement. 

In September, the DHS Office of Inspector General, the OIG, re- 
leased a report on its 4-month-long investigation into improper ac- 
cess and distribution of information within the Secret Service. The 
findings were alarming. 

Wide-spread violations of the Privacy Act and an agency policy 
occurred by Secret Service employees who accessed and distributed 
information on a Member of Congress’ past employment application 
and senior management did nothing immediately to stop it. 

Inspector General John Roth stated that the episode was deeply 
disturbing. In addition, Director Clancy announced he had a dif- 
ferent account of what he initially told OIG. Investigators subse- 

(l) 
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quently had to re-interview Director Clancy and issue an adden- 
dum to the report. 

This incident leaves numerous questions unanswered. How did 
this happen? Why did Secret Service leadership not act and why 
and how did Director Clancy change his account almost imme- 
diately after the IG’s report was released? The American people de- 
serve answers. DHS must hold all employees involved appro- 
priately accountable. 

As disturbing as this incident is, it is only one example of other 
instances where Secret Service employees showed very poor judg- 
ment and leadership failed to act. 

Earlier this year, senior agents who may have been under the in- 
fluence of alcohol compromised an area at the White House being 
investigated for a suspicious package. Director Clancy was, again, 
not immediately informed. 

Late last year, OIG also reported about a 2011 incident where 
agents were diverted to investigate an accident at the home of — 
correction — an incident at the home of the director’s assistant, 
which appeared to be a misuse of agency resources and violation 
of the Federal Employee Code of Ethics. 

The findings in the IG’s latest report are yet another example of 
damage to the American people’s trust in the Secret Service. When 
scandal after scandal emerges and the management is ill-informed 
or fails to act, the American people have cause for great concern. 
We entrust the Secret Service with tremendous authorities and 
tools. When they abuse those authorities, they violate their con- 
tract with the American people. 

Because of the Service’s recent failures, DHS Secretary Jeh John- 
son convened a panel of experts late last year to recommend 
changes to improve the service. The panel made broad rec- 
ommendations in December 2014 related to training and personnel, 
perimeter security, technology and operation, and leadership. The 
panel’s report provided a broad road map to begin reforming the 
service. I expect Director Clancy to fully explain today what 
progress has been made in implementing the panel’s recommenda- 
tions. 

While Congress has a responsibility to conduct rigorous oversight 
of the latest incident, we must also understand what is being done 
to improve the overall management of the Secret Service. 

I am also concerned that similar abuses and shortcomings could 
occur in other Federal law enforcement agencies. It is important to 
understand what policies and safeguards, if any, are in place to 
prevent similar abuse regardless of whether it is as a Member of 
Congress or one of our constituents back home. If it happened at 
the Service, what is to say other Federal agencies are any better? 

Today’s hearing must be about more than pointing fingers. The 
American people have high expectations, as they should, for the Se- 
cret Service and want the agency to be successful. Their mission 
is absolutely critical to our Nation’s well-being and, as we saw from 
excellent work by Secret Service personnel during the papal visit, 
and United States — correction — United Nations General Assembly, 
the Service can succeed with proper focus and leadership. 
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I look forward to hearing more from our witnesses on how the 
Secret Service can best overcome recent obstacles to improve the 
management and reform the culture of this critical agency. 

[The statement of Chairman Perry follows:] 

Statement of Chairman Scott Perry 
November 17, 2015 

In September, the DHS Office of Inspector General (OIG) released a report on its 
4-month-long investigation into improper access and distribution of information 
within the Secret Service. The findings were alarming: Wide-spread violations of the 
Privacy Act and agency policy occurred by Secret Service employees who accessed 
and distributed information on a Member of Congress’s past employment application 
and senior management did nothing immediately to stop it. Inspector General John 
Roth stated that the episode was “deeply disturbing.” In addition, Director Clancy 
announced he had a different account of what he initially told OIG. Investigators 
subsequently had to reinterview Director Clancy and issue an addendum to the re- 
port. 

This incident leaves numerous questions unanswered: How did this happen, why 
did Secret Service leadership not act, and why and how did Director Clancy change 
his account almost immediately after the IG’s report is released? The American peo- 
ple deserve answers. DHS must hold all employees involved appropriately account- 
able. As disturbing as this incident is, it is only one example of other instances 
where Secret Service employees showed very poor judgment and leadership failed 
to act. Earlier this year, senior agents who may have been under the influence of 
alcohol, compromised an area at the White House being investigated for a suspicious 
package. Director Clancy was again not immediately informed. Late last year, OIG 
also reported about a 2011 incident where agents were diverted to investigate an 
incident at the home of the director’s assistant, which appeared to be a misuse of 
agency resources and violation of the Federal employee Code of Ethics. 

The findings in the IG’s latest report are yet another example of damage to the 
American people’s trust in the Secret Service. When scandal after scandal emerges 
and management is ill-informed or fails to act, the American people have cause for 
great concern. We entrust the Secret Service with tremendous authorities and tools. 
When they abuse those authorities, they violate their contract with the American 
people. 

Because of the Service’s recent failures, DHS Secretary Jeh Johnson convened a 
panel of experts late last year to recommend changes to improve the Service. The 
panel made broad recommendations in December 2014 related to training and per- 
sonnel; perimeter security, technology, and operations; and leadership. The panel’s 
report provided a broad road map to begin reforming the Service. I expect Director 
Clancy to fully explain today what progress has been made in implementing the 
panel’s recommendations. While Congress has a responsibility to conduct rigorous 
oversight of the latest incident, we must also understand what is being done to im- 
prove the overall management of the Secret Service. 

I am also concerned that similar abuses and shortcomings could occur in other 
Federal law enforcement agencies. It’s important to understand what policies and 
safeguards, if any, are in place to prevent similar abuse regardless of whether it’s 
a Member of Congress or one of our constituents back home. If it happened at the 
Service, what’s to say other Federal agencies are any better? 

Today’s hearing must be about more than pointing fingers. The American people 
have high expectations for the Secret Service and want the agency to be successful. 
Their mission is absolutely critical to our Nation’s well-being and as we saw from 
the excellent work by Secret Service personnel during the papal visit and United 
Nations General Assembly, the Service can succeed with the proper focus and lead- 
ership. I look forward to hearing more from our witnesses on how the Secret Service 
can best overcome recent obstacles to improve the management and reform the cul- 
ture of this critical agency. 

Mr. Perry. The Chair now recognizes the Chairman of the Sen- 
ate Committee on Homeland Security and Governmental Affairs, 
Subcommittee on Regulatory Affairs and Federal Management, the 
gentleman from Oklahoma, Mr. Lankford, for his statement. 
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Senator Lankford. Chairman Perry, thank you very much. 
Thanks for holding this joint hearing with our subcommittee, as 
well. 

Good morning, everyone. I am trying to think of a more awkward 
situation than how we are currently seated here but I am sure 
there is a way through a separate room; we are so far away from 
each other on this panel setting. I do appreciate everyone here. 
Hopefully this will be an open dialogue as we walk through this 
process together. 

I do hope this also sheds some important light on the situation 
where we are at, not only with the Secret Service but Government- 
wide. At the outset, I would like to acknowledge the essential role 
that Secret Service fills and its incredible dedication to our country. 
We do appreciate very much the service the Secret Service brings 
to our Nation and what it has done historically and what it con- 
tinues to do. 

However, recent history of high-profile and embarrassing scan- 
dals of the Secret Service and the latest DHS inspector general 
findings of wrongdoing can’t be swept under the rug, as I know Se- 
cret Service is not doing. 

IG’s investigation revealed unauthorized database searches of 
protected information began during a House Oversight and Govern- 
ment Reform hearing in March of this year. In the days that fol- 
lowed, many in the Secret Service continued to misuse their au- 
thority to access the sensitive employment history of Chairman 
Jason Chaffetz. 

The IG’s report noted that 60 instances of unauthorized access 
to the database by 45 Secret Service employees had violated the 
Privacy Act — excuse me — as well as an internal and DHS policies. 
The report also noted that 18 senior Secret Service executives 
failed to stop the unauthorized access or to inform Director Clancy 
about the unauthorized accesses. 

In fairness, the report does reflect that one special agent in- 
structed her subordinates to cease accessing the database. On its 
face, such wide-spread violations of our law and the public’s trust 
are deeply disturbing. The IG did not question those involved if 
this was the only time they have inappropriately used the data- 
base. 

In the internet age, everyone is concerned about the possibility 
that personal information could be stolen or misused. Our elite law 
enforcement agencies are not above the law and those responsible 
must face appropriate consequences. But, to me, there is a much 
bigger issue. 

In these days, millions of Americans’ personal data is stored 
across many Government agencies. The GAO report released ear- 
lier this year on the Government’s Federal information security 
showed alarming findings. From 2009 to 2014, the number of infor- 
mation security incidents involving personally-identifiable informa- 
tion reported by Federal agencies has more than doubled. 

GAO has stated that many agencies have largely failed to fully 
implement the hundreds of recommendations previously made to 
remedy security control vulnerabilities. 
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These security weaknesses continue to exist and the protection of 
significant personal data of millions of Americans housed by the 
IRS, HHS, the VA, and other agencies. 

Just this month, the Social Security Administration’s Office of 
the Inspector General released a report showing that the Social Se- 
curity Administration paid monetary awards to 50 employees who 
were previously discovered to have accessed personal information of 
others without authorization. 

Fifty Federal employees who accessed the personal information 
of others without authorization, yet, incredibly, in the end, they 
were rewarded despite breaking the law. 

In another troublesome example the Senate Homeland Security 
Committee received testimony this year that a whistleblower was 
retaliated against for shedding light on inadequate suicide preven- 
tion practices at a V.A. hospital. This whistleblower learned that 
V.A. employees illegally and improperly accessed his private med- 
ical records after he brought to light the shameful behavior occur- 
ring at the V.A. hospital where he serves. 

The question is now how do we fix this problem so that Ameri- 
cans believe that Government will protect their information and 
not use it for nefarious means? I am hopeful today we can take a 
step forward to address this issue, and would like to thank Director 
Clancy, Inspector General Roth, and Mr. Willemssen for their testi- 
mony today. 

I look forward to examining these challenges with each of you. 

[The statement of Chairman Lankford follows:] 

Statement of Chairman James Lankford 
November 17, 2015 

Good afternoon. I’d like to thank Chairman Perry for his willingness to hold this 
important joint hearing with our subcommittee. I’m hopeful that our efforts here 
today will shed light on how one of our top law enforcement agencies failed to pro- 
tect sensitive personal information housed in internal databases. 

At the outset, it is important to acknowledge the essential security role that the 
Secret Service fills, and its on-going dedication to our country. However, the recent 
history of high-profile and embarrassing scandals at the Service and the latest DHS 
Inspector General findings of wrong-doing cannot be swept under the rug. The IG’s 
investigation reveals that unauthorized database searches of protected information 
began during a House Oversight and Government Reform hearing in March of this 
year. In the days that followed, many at the Secret Service continued to misuse 
their authority to access the sensitive employment history of Chairman Jason 
Chaffetz. The IG’s report noted 60 instances of unauthorized access to the database 
by 45 Secret Service employees that violated the Privacy Act as well as internal and 
DHS policies. 

The report also noted that 18 senior Secret Service executives failed to stop the 
unauthorized access or inform Director Clancy about the unauthorized accesses. In 
fairness, the report does reflect that one Special Agent instructed her subordinates 
to cease accessing the database. On its face, such wide-spread violations of our law 
and the public’s trust are deeply disturbing. The IG did not question those involved 
if this was the only time they have inappropriately used the database. In the inter- 
net age, everyone is concerned about the possibility that personal information could 
be stolen or misused. 

Our elite law enforcement agencies are not above the law and those responsible 
must face appropriate consequences. But to me, there is also a much bigger issue 
for us to examine. These days millions of Americans’ personal data is stored not just 
on databases at the Secret Service, but across many Government agencies. A GAO 
report released earlier this year on the Government’s Federal information security 
showed alarming findings. From 2009 to 2014 the number of information security 
incidents involving personally identifiable information reported by Federal agencies 
has more than doubled. GAO has stated that many agencies have largely failed to 



6 


fully implement the hundreds of recommendations previously made to remedy secu- 
rity control vulnerabilities. 

These security weaknesses continue to exist in the protection of the significant 
personal data of millions of Americans housed by the IRS, HHS, the VA and other 
agencies. Just this month, the Social Security Administration’s Office of the Inspec- 
tor General released a report showing that the Social Security Administration paid 
monetary awards to 50 employees who were previously discovered to have accessed 
the personal information of others without authorization. Fifty Federal employees 
who accessed the personal information of others, without authorization and yet in- 
credibly in the end they were rewarded despite breaking the law. In another trou- 
blesome example, the Senate Homeland Security Committee received testimony this 
year that a whistleblower was retaliated against for shedding light on inadequate 
suicide prevention practices at a V.A. hospital. 

This whistleblower learned that V.A. employees illegally and improperly accessed 
his private medical records after he brought to light the shameful behavior occur- 
ring at the V.A. hospital where he served. So it’s not just the Secret Service that 
has employees who illegally accessed private information, this behavior has occurred 
across Government. The question is how do we fix this problem so that Americans 
believe that Government will protect their information and not use it to for nefar- 
ious means? I am hopeful today we can take a step forward to address this issue. 

I’d like to thank Director Clancy, Inspector General Roth, and Mr. Willemssen for 
their testimony today. I look forward to examining these challenges with each of 
you. 

Mr. Perry. Chair now recognizes the Ranking Minority Member 
of the House Committee on Homeland Security, Subcommittee on 
Oversight and Management Efficiency, the gentlelady from New 
Jersey, Mrs. Watson Coleman, for her statement. 

Mrs. Watson Coleman. I want to thank you, Mr. Chairman, and 
Chairman Lankford, and Ranking Member Heitkamp for holding 
today’s hearings. 

Director Clancy, I want to first extend my condolences in person 
on the loss of your father. 

Director, Inspector General Roth, and Mr. Willemssen, I thank 
you for your testimony. I also want to thank the men and women 
of the Secret Service for their diligence and hard work during the 
recent papal visit and the 70th anniversary of the United Nations 
General Assembly. 

As a Member of the Committee on Homeland Security and the 
Committee on Oversight and Government Reform, I am well aware 
of the gravity of the Secret Service’s mission, particularly regarding 
its duty to protect the President, along with foreign dignitaries, 
and to oversee security at major events domestically and abroad. 

While I am confident that the overwhelming majority of the men 
and women of the Secret Service both take their jobs seriously and 
express the highest grade of professionalism, I am appalled by the 
recent reports of operational lapses and poor judgment by senior- 
level management. 

It is obvious that there is a wide-spread lack of consistent leader- 
ship and management within Secret Service. However, this did not 
just begin under Director Clancy’s leadership. These issues have 
plagued the Secret Service for a number of years. 

Last year, Secretary Johnson commissioned the independent 
panel to evaluate the Secret Service. According to the panel’s re- 
port, the Secret Service needed to undergo a cultural change, and 
that included having leadership that was capable of fostering great- 
er accountability among all staff, of modernizing administrative 
functions including adjusting the hours special agents and uni- 
formed division personnel must work, and improving their training. 
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After the panel dismantled, the inspector general continued to 
corroborate their findings. In 2015 alone, the inspector general has 
issued two memoranda regarding misconduct among senior Secret 
Service personnel and two Management Advisories. 

The most recent Management Advisory was issued on October 21 
when personnel were found sleeping on the job. The inspector gen- 
eral found that staffing and scheduling practices of the Secret Serv- 
ice contributes to officer fatigue and that this can pose immediate 
danger to protectees. 

Instead of addressing the root of the problem of having over- 
worked agents, the Secret Service considered the findings an iso- 
lated incident. Furthermore, the inspector general’s most recent 
Management Advisory on improper database access of the Secret 
Service shows that the agency has a deeply-rooted cultural problem 
that is not being addressed. 

The inspector general found that over 40 agents had improperly 
accessed the personnel records of a Member of Congress through an 
antiquated database. 

According to the inspector general’s findings, Secret Service lead- 
ership including the director and the deputy director did not recog- 
nize the severity of this situation and dismissed that data breach 
as a rumor. 

The inspector general found that instead of dealing with this sit- 
uation, the director of the Secret Service discussed the improper 
database access with former directors at a luncheon. 

What is even far more glaring is the inspector general found that 
the assistant director of training, appointed by Director Clancy, to 
manage and direct all aspects of personnel care, development, and 
operational capacity training for the agencies, suggested that the 
information contained in this database be leaked to embarrass a 
Congressman. 

Mr. Chairman, while this incident is reprehensible, it is not ben- 
eficial for us to be here today to speak about it in isolation. We 
must have a broader, productive discussion about the Secret Serv- 
ices’ management and culture. 

Finally, I know the Secret Service cannot improve without help 
from Congress. Therefore, I need to know too, from the director 
what he needs from us, to not only make the adequate changes for 
staffing, but also the technological advances for personal databases. 

But I also need to know from the director what his plans for the 
agency are when he has top-level management that turns a blind 
eye instead of addressing issues. 

With that Mr. Chairman, I yield back the balance of my time. 

[The statement of Ranking Member Watson Coleman follows:] 

Statement of Ranking Member Bonnie Watson Coleman 
November 17, 2015 

I also want to thank the men and women of the Secret Service for their diligence 
and hard work during the recent Papal Visit and the 70th Anniversary of the 
United Nations General Assembly. As a Member of the Committee on Homeland Se- 
curity and the Committee on Oversight and Government Reform, I am well aware 
of the gravity of the Secret Service’s mission, particularly regarding its duty to pro- 
tect the President along with foreign dignitaries, and to oversee security at major 
events domestically and abroad. 
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While I am confident that the overwhelming majority of the men and women of 
the Secret Service both take their jobs seriously and express the highest grade of 
professionalism, I am appalled by the recent reports of operational lapses and poor 
judgment by senior-level management. 

It is obvious that there is a wide-spread lack of consistent leadership and manage- 
ment within the Secret Service. However, this did not just begin under Director 
Clancy’s leadership. These issues have plagued the Secret Service for a number of 
years. Last year, Secretary Johnson commissioned an independent panel to evaluate 
the Secret Service. 

According to the Panel’s report, the Secret Service needed to undergo a cultural 
change, and that included having leadership that was capable of fostering greater 
accountability among all staff, of modernizing administrative functions, including 
adjusting the hours Special Agents and Uniformed Division personnel must work, 
and improving their training. 

After the panel dismantled, the inspector general continued to corroborate their 
findings. In 2015 alone, the inspector general has issued two memoranda regarding 
misconduct among senior Secret Service personnel and two management advisories. 

The most recent management advisory was issued on October 21, when personnel 
were found sleeping on the job. The inspector general found that staffing and sched- 
uling practices of the Secret Service contributes to officer fatigue and this could pose 
immediate danger to protectees. Instead of addressing the root of the problem of 
having overworked agents, the Secret Service considered the findings an isolated in- 
cident. 

Furthermore, the inspector general’s most recent management advisory on Im- 
proper Database Access at the Secret Service shows that the agency has a deeply- 
rooted cultural problem that is not being addressed. The inspector general found 
that over 40 agents improperly accessed the personnel records of a Member of Con- 
gress, through an antiquated database. 

According to the inspector general’s findings, Secret Service leadership including 
the director and the deputy director did not recognize the severity of the situation 
and dismissed the data breach as a rumor. The inspector general found that instead 
of dealing with the situation, the director of the Secret Service discussed the im- 
proper database access with former directors at a luncheon. 

What is even far more glaring is the inspector general found that the assistant 
director of training — appointed by Director Clancy to manage and direct all aspects 
of personnel career development and operational capacity training for the agency- 
suggested that the information contained in this database be leaked to embarrass 
the Congressman. 

Mr. Chairman, while this incident is reprehensible, it is not beneficial for us to 
be here today to speak about it in isolation. We must have a broader, productive 
discussion about the Secret Service’s management and culture. 

Finally, I know the Secret Service cannot improve without help from Congress. 
Therefore, I need to know to from the director what he needs from us to not only 
make the adequate changes for staffing but also the technological advancements for 
personnel databases, but I also need to know from the director what his plans for 
the agency are, when he has top-level management that turns a blind eye instead 
of addressing issues. 

Mr. Perry. Chair thanks the gentlelady. The Chair now recog- 
nizes the Ranking Minority Member of the Senate Committee on 
Homeland Security and Governmental Affair’s Subcommittee on 
Regulatory Affairs and Federal Management, the gentlelady from 
North Dakota, Ms. Heitkamp for any statement she may have. 

Senator Heitkamp. Thank you Chairman Perry and Chairman 
Lankford. Welcome Mr. Clancy, Mr. Roth, and Mr. Willemssen. I 
first want to say thank you to the brave men and the brave women 
who serve in the Secret Service. While I understand the last few 
months and few years have been marked by high-profile incidents 
of agency misconduct, I know, I know and you know the majority 
of our agents work hard and put their life on the line every day 
to protect the White House, past Presidents, Presidential can- 
didates, and many administration officials and foreign dignitaries. 

I also know first-hand as a former leader of a law enforcement 
agency what the bad actions of a 2 or 3 or 4 agents can do to the 
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morale of an entire organization. I know that, just looking at the 
faces behind you Mr. Clancy, I know the effect that these high-pro- 
file discussions have had. 

I am here in the spirit of, let’s work together to make the Secret 
Service what the Secret Service should be, the most trusted law en- 
forcement agency in America. Let’s restore the morale of your 
agents. Let’s work together in a management collaboration and co- 
operation to change this dynamic and once again, have your agents 
stand tall if they tell their friends and their neighbors that they 
work for the Secret Service. 

That is a big part of why I am here today — is to remember and 
remind I think everyone on this day that there are literally thou- 
sands of men and women who every day walk alongside cars, will- 
ing to sacrifice their life in protection of leaders of this country. 
Nothing that can be done by one person can take away the bravery 
of those men and women. 

So clearly, we have some issues to discuss, there is no doubt 
about it. Clearly, you have already heard the concerns that we 
have here today. But my reason for being here and for being inter- 
ested in this topic is really to restore the morale and restore the 
integrity of the Secret Service so that all the brave men and 
women who have done nothing wrong in the Secret Service can 
once again hold their heads high. 

So with that, I yield back the balance of my time. 

Mr. Perry. Chair thanks the gentlelady. The Chair now recog- 
nizes the Ranking Minority Member of the House Committee on 
Homeland Security. The gentleman from Mississippi, Mr. Thomp- 
son for his statement. 

Mr. Thompson. Thank you very much, Mr. Chairman. I thank 
the Oversight and Management Efficiency’s Subcommittee and the 
Senate Subcommittee on Regulatory Affairs and Federal Manage- 
ment for holding today’s hearing. I also welcome Director Clancy 
and Inspector General Roth and Director Willemssen today. 

I join my colleagues who have already said before me, in thank- 
ing the men and women of the Secret Service for their work, during 
both the papal visit and the 70th anniversary of the United Na- 
tions. The dedication of the agents and officers of the Secret Serv- 
ice is admirable. 

Unfortunately, their tireless work is time and again over- 
shadowed by the exposure of symptomatic problems within the 
agency. The issues that lie within the Secret Service existed long 
before Director Clancy’s appointment. However, as head of the 
agency, Congress, the public, and officers and agents he leads, hold 
him accountable. 

Prior to Director Clancy’s appointment, serious operational 
lapses and leadership failures led to Secretary Johnson’s appoint- 
ment of a independent panel to review the Secret Service. This 
panel, known as the Protective Mission Panel, had several glaring 
findings and recommendations. 

One of these findings is what I have realized and articulated 
through many years of oversight of the Secret Service: The law en- 
forcement agency needs to undergo a cultural change that includes 
leadership that is capable of fostering greater accountability. 
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The panel stated, “The agency is starved for leadership.” Unfor- 
tunately, is still seems that as if the Secret Service has yet to be 
fed. 

Since the Protective Mission panel completed its review, the Of- 
fice of the Inspector General has led investigations into misconduct 
involving Secret Service supervisors on more than one occasion. 

The inspector general found that in March, at least 4 supervisors 
turned a blind eye when 2 veteran agents, including the head of 
the President’s protective detail, disrupted a bomb investigation by 
allegedly driving impaired through a barricade at the White House. 

Last month, the inspector general found that at least 45 agents 
improperly accessed a 1980s mainframe database to retrieve infor- 
mation in an attempt to embarrass a Member of Congress. Of those 
agents who may have broken the law by improperly accessing this 
database, approximately 18 of them were at the GS-15 and SES 
levels. 

The findings also concluded the director of the Secret Service, his 
deputy director and his chief of staff failed to take seriously that 
agents were discussing information about the Congressman’s per- 
sonnel file. 

The inspector general also made the finding that the assistant di- 
rector of training — the person appointed by Director Clancy to 
manage and direct all aspects of personnel, career development, 
and professionalism — suggested that the information found in the 
database be leaked in retaliation to Congressional oversight. 

The IG’s findings further illustrate that there is a lack of leader- 
ship and accountability from the top down. In this instance, very 
little leadership and accountability was shown. Director Clancy has 
indicated that the Secret Service will be expanding and undergoing 
a rigorous and necessary hiring phase. The new hires will be look- 
ing to their leaders for guidance. 

As the Secret Service expands, it is our responsibility as Mem- 
bers of Congress to assist the Secret Service with adequate, nec- 
essary funding for its mission. Both the Protective Mission panel 
and the inspector general, have indicated that officer fatigue can 
place protectees at risk. 

The agency also needs to have the capacity to properly vet em- 
ployees before they begin work rather than continuing the practice 
of having uncleared personnel working in sensitive areas such as 
the White House. 

The new recruits should represent America and have opportuni- 
ties for advancement. As of right now, the Secret Service’s direct 
diversity numbers are dismal. Furthermore, it would be hard for 
the law enforcement agency’s commitment to equal opportunity and 
inclusion to be taken seriously with a class-action, racial-discrimi- 
nation lawsuit still hanging over the Secret Service’s head, and the 
Secret Service using every delay tactic it can instead of resolving 
the lawsuit amicably. 

There must be some sweeping changes made at the Secret Serv- 
ice. I know the deeply-rooted problems will not cease overnight, but 
we must get to the source of them instead of continuously glossing 
over, putting on Band-Aids, and going forward with business as 
usual. 



11 


I look forward to working with the Secret Service to advance its 
mission. With that I yield back. 

Mr. Perry. Chair thanks the gentleman. The Chairman reminds 
other Members of the subcommittee that opening statements may 
be submitted for the record. 

We are pleased to have a distinguished panel of witnesses before 
us today on this important topic. The witnesses’ entire written 
statements will appear in the record. 

The Chair will introduce all of the witnesses first and then recog- 
nize each of you for your testimony. 

Mr. Joseph Clancy was appointed director of the United States 
Secret Service in February 2015, after serving as acting director 
since October 2014. Previously, Mr. Clancy served as the special 
agent in charge of the Presidential Protective division. Mr. Clancy 
began his career with the Secret Service in 1984 in the Philadel- 
phia field office. 

Welcome. 

The Honorable John Roth assumed the post of inspector general 
for the Department of Homeland Security in March 2014. Pre- 
viously, Mr. Roth served as the director of the Office of Criminal 
Investigations at the Food and Drug Administration and as an as- 
sistant U.S. attorney for the Eastern District of Michigan. 

Welcome, Mr. Roth. 

Mr. Joel Willemssen is managing director for the information 
technology issues at the Government Accountability Office, the 
GAO, where he leads the GAO’s evaluations of information tech- 
nology across the Federal Government. 

Since joining GAO in 1979, he has led numerous reviews of infor- 
mation technology systems and management at a variety of Fed- 
eral agencies. 

Welcome, Joel. 

Thank you for being here today. The Chair now recognizes Mr. 
Clancy for his opening statement. 

STATEMENT OF JOSEPH P. CLANCY, DIRECTOR, UNITED 

STATES SECRET SERVICE, U.S. DEPARTMENT OF HOMELAND 

SECURITY 

Mr. Clancy. Good morning, Mr. Chairman, Chairman Lankford, 
Chairman Perry, Chairman Johnson, Ranking Member Watson 
Coleman, and Ranking Member Thompson, and distinguished 
Members of the committee. 

Thank you for the opportunity to testify today. I plan to address 
the findings from the recent OIG report and the many improve- 
ments implemented over the past year designed to address the Pro- 
tective Mission Panel findings. 

I also look forward to discussing the numerous organizational 
changes we have made at the United States Secret Service, and 
would like to express my gratitude and recognize the support of 
Secretary Johnson and the Congress in making many of these 
changes possible. 

I sit before you today a proud representative of the thousands of 
men and women who selflessly execute the mission of this agency 
on a daily basis. Recent accomplishments, including 4 near-simul- 
taneous Special Security Events surrounding the papal visit and 
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the United Nations General Assembly, as well as a number of high- 
profile cyber investigations serve to reinforce this feeling. 

In fact, in addition to initiating protection of two Presidential 
candidates last week, Secret Service personnel are at this very mo- 
ment deployed around the world ensuring the President’s safety 
while in Southeast Asia in yet another example of their commit- 
ment and dedication to the mission. 

Despite the Secret Service’s many recent successes, I recognize 
that the primary reason we are here today is to address the mis- 
conduct detailed in the OIG’s report. This investigation arose from 
allegations that the Secret Service employees inappropriately uti- 
lized an internal database to access the applicant record of an indi- 
vidual who is now a Member of Congress. 

The misconduct outlined in the report is inexcusable and unac- 
ceptable. This conduct is not supportive of the agency’s unique posi- 
tion of public trust. On behalf of the men and women of the Secret 
Service, I would like to publicly renew my apology for this breach 
of trust and affirm my commitment to restoring it. 

The OIG reported that these employees violated existing Secret 
Service and DHS policies pertaining to the handling of the Privacy- 
Act-protected information. At the time that these violations oc- 
curred, relevant policies and procedures were in place and could be 
found in a number of locations, including the Secret Service Ethics 
Guide, the Table of Penalties, policy manuals and required on-line 
training courses. I was angered by the willful disregard of these 
policies and I am determined to ensure that all employees are held 
to the highest standards of professional conduct. 

As I stated on prior occasions, I am committed to ensuring the 
accountability in this matter regardless of rank or seniority. Sec- 
retary Johnson and I stand together on this point. To date, several 
dozen employees have been issued disciplinary proposals relating to 
these events. More are on the way. The discipline is being adminis- 
tered in accordance with DHS and Secret Service policy, and I am 
confident that these actions will be fair, appropriate, and completed 
in a timely fashion. 

A contributing factor that allowed multiple individuals to im- 
properly access this information was the nature of the information 
system that housed the data. Secret Service recognized this defi- 
ciency some years ago and began a process to modernize its IT in- 
frastructure to allow for such data to be compartmentalized and re- 
strict the access to those with an official need to know. This process 
was completed this past June. 

At this time, the MCI system has been officially retired. With re- 
spect to applicant records, the number of employees with access to 
the new system has been reduced by more than 95 percent. 

Finally, much has been made of my statements and a decision 
of the OIG to reopen the investigation on October 5, 2015. Prior to 
publicly releasing the report on September 30, the OIG provided a 
draft copy for my review which reflected my statement that I be- 
came aware of the rumor on April 1. 

As my colleagues and I reviewed the draft, I was reminded that 
I had, in fact, been made aware of the rumor on March 25. How- 
ever, let me be clear that what I was made aware of was a rumor 
with no indication of employees’ misconduct or employees accessing 
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internal databases. In order to ensure the accuracy of the report 
and knowing the concern it would cause, I took the initiative to 
contact Mr. Roth prior to the report’s publication to ensure the re- 
port was accurate and correct on this point. 

With respect to the recommendations of the Protective Mission 
Panel, tremendous progress has been made in all areas. I am proud 
to say that we have significantly altered the way the Secret Service 
is structured and managed. We have also made strides in hiring 
new members of our workforce and expanding training opportuni- 
ties for current members. 

I am also realistic in knowing that many of the changes we are 
making will take time and that we must continue to communicate 
these changes to our workforce. 

In the interest of time, I will point you to my written testimony 
submitted in advance of this hearing for a more thorough descrip- 
tion of this process and look forward to discussing our progress on 
these recommendations with each of you today. 

I would like to close by remembering a remarkable leader and 
true friend, former Assistant Director Jerry Parr. Jerry is widely 
known for the decisive actions he took during the March 30, 1981, 
assassination attempt on President Ronald Reagan. The decisions 
he made that day, including evacuating the President directly to 
the hospital, likely saved the life of the President. As I reflected on 
his passing, I had the opportunity to review a speech he made to 
a graduating special agent training class in 1994. 

He stated, “An organizational culture is a product of time, suc- 
cesses, sufferings, failures and just plain hard work. After a hun- 
dred years or so, deep roots are developed and a corporate memory 
evolves. While another agency can purchase persons, equipment 
and technology similar to the Secret Service, it cannot buy this cor- 
porate memory. This is a priceless commodity.” 

As the men and women of this agency traverse these challenging 
times, it is important to remember that culture involves more than 
an agency’s failures and that the successes derived from hard work 
and dedication will prevail as the lasting corporate memory of the 
Secret Service. 

Thank you and I welcome any questions you may have. 

[The prepared statement of Mr. Clancy follows:] 

Prepared Statement of Joseph P. Clancy 
November 17, 2015 

Good afternoon, Chairman Lankford, Chairman Perry, Ranking Member 
Heitkamp, Ranking Member Watson Coleman, and distinguished Members of the 
committees. Thank you for the opportunity to testify today. I look forward to dis- 
cussing the on-going challenges at the United States Secret Service (“Secret Serv- 
ice”) including those recently outlined by the Department of Homeland Security 
(“DHS”) Office of Inspector General (“OIG”). I am also prepared to elaborate on the 
organizational changes and improvements implemented over the past year to ad- 
dress them. I would like to express my gratitude and recognize the support of Con- 
gress in making many of these changes possible. 

I proudly sit before you today representing the thousands of men and women who 
selflessly execute the mission of this agency on a daily basis. Over the past 150 
years, the Secret Service has established itself as one of the most highly-regarded 
law enforcement agencies in the world. Throughout our history, we have continued 
to answer the call to serve our country, and through our work, have created a tradi- 
tion of excellence. The cornerstone of our success is the absolute dedication to duty 
displayed by the men and women of this agency. 
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INVESTIGATION INTO THE IMPROPER ACCESS OF A SECRET SERVICE DATA SYSTEM 

I would like at the outset to address the recent investigation by the DHS OIG 
into allegations that Secret Service employees improperly accessed and distributed 
information in internal databases. The investigation found that a number of employ- 
ees violated existing Secret Service and DHS policies pertaining to the unauthorized 
access and disclosure of information protected by the Privacy Act of 1974. The be- 
havior these employees exhibited is unacceptable. I am angered by the underlying 
actions reflected in the OIG’s findings and am committed to ensuring that all em- 
ployees are held to the highest standards of professional conduct, whether on- or off- 
duty. Those we protect and the public we serve expect us to live by our oaths and 
the values we have established as an agency, and we should demand nothing less 
from each other. We are better than the actions illustrated in this report and people 
will be held accountable for their actions. We have made necessary changes to tech- 
nology in order to limit the potential for future misconduct, and are implementing 
enhanced training. I will continue to review policies, practices, and training to ad- 
dress employee misconduct and demand the highest level of integrity of all our em- 
ployees. 

Accountability 

On behalf of the men and women of the Secret Service, I would like to publicly 
renew my apology for this breach of trust and confidence and state my commitment 
to restoring it. I have heard loud and clear the demand for accountability and need 
for timely, decisive discipline — and I agree. I also understand that apologies and ex- 
pressions of anger are not enough. Secretary Jeh Johnson and I stand together on 
this point. Appropriate discipline is being administered in accordance with DHS and 
Secret Service policy. I am confident that the actions regarding the individuals in- 
volved will be prompt, fair, and appropriate. 

Technology 

On March 24, 2015, there were technological security deficiencies within the Se- 
cret Service’s primary internal database that contributed to the unauthorized access 
of information. These internal vulnerabilities have been addressed and the potential 
for similar misconduct in the future mitigated. The Master Central Index (“MCI”) 
was a mainframe application developed in 1984 that served as a central searching 
application and case management system. More specifically, MCI contained records 
from protective, investigative, and human capital divisions and served as a single 
access point for investigators and administrators. A significant deficiency of this ar- 
rangement was that an MCI user had access to all of the data in MCI regardless 
of whether it was necessary for that user’s job function or not. 

The Secret Service’s Information Integration and Technology Transformation 
(“IITT”) program was established in fiscal year 2010. In recognition of the limita- 
tions of MCI and other mainframe applications, the Secret Service initiated the 
Mainframe Application Refactoring (“MAR”) project in 2011 to assess the existing 
48 applications residing on the mainframe and migrate necessary capabilities and 
accompanying data to a non-mainframe, secure, highly-available and compartmen- 
talized environment. DHS estimated the project would take 10 years to complete. 
The Secret Service accelerated the MAR project in 2013 and was able to achieve 
project closure on June 24, 2015. At that time, all employee mainframe access was 
revoked. The new systems are completely operational, and all legacy data has been 
migrated to new platforms where data is locked down and access to data is depend- 
ent upon job function. Protective, investigative, and human capital records reside in 
different systems and internal controls have now been implemented to restrict ac- 
cess to those systems in two ways. Now access is: (1) Limited to the respective direc- 
torates responsible for the information; and/or (2) based on the role of the system 
user within the organization. Shutdown of MCI began at the end of July, and it was 
fully powered down on August 12, 2015. Disassembly of the mainframe began in Au- 
gust, and it was physically removed from the data center on September 16, 2015. 

Training 

The OIG report also cited the need for improved and more frequent training re- 
lated to unauthorized access of sensitive data. We have been working to reiterate 
and reinforce existing policies and training. This includes the long-standing, existing 
policy regarding the proper access to databases and handling of Privacy Act pro- 
tected information, which is clearly stated in the Secret Service Ethics Guide, in the 
Table of Penalties, and within the Secret Service Manual sections related to rules 
of behavior with respect to the use of information technology. Employees are re- 
quired to certify annually that they have reviewed these manual sections. 
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At the time of the conduct in question, the Secret Service was already providing 
a 1-hour briefing to Special Agent and Uniformed Division Training Classes that in- 
cludes material on the Privacy Act. A senior Government Information Specialist 
from the Freedom of Information Act and Privacy Act Branch of the Office of Gov- 
ernment and Public Affairs teaches the class and focuses, in part, on PII, with com- 
prehensive instructional material on the subject added to the content in approxi- 
mately 2012. A 1-hour in-service on-line training titled “IT Security Awareness” is 
required as part of the agency’s adherence to the F ederal Information Security Man- 
agement Act (“FISMA”). The course outlines the role of Federal employees in the 
protection of information and in ensuring the secure operation of Federal informa- 
tion systems. The Privacy Act is also discussed during in-service ethics classes ad- 
ministered to the field by Secret Service Office of Chief Counsel instructors. Fur- 
ther, DHS requires Secret Service employees to complete annual in-service on-line 
training titled, “Privacy at DHS: Protecting Personal Information.” This training 
was incorporated into the required curriculum in 2012 and covers proper handling 
of PII. While the class is annually required, due to the gravity of the findings in 
the OIG report, I instructed the workforce in an official message on October 16 to 
retake the class by November 30. 

Additionally, at my direction enhanced briefings regarding the Privacy Act are 
now being provided to Special Agent and Uniformed Division Training Classes by 
Office of Chief Counsel instructors. A permanent curriculum is being developed and 
a formal class for candidate and in-service employee training is anticipated in the 
near future. 

Finally, I would like to address my statements and the decision of the OIG to re- 
open the investigation on October 5, 2015. Prior to the public release of the report 
on September 30, 2015, the OIG provided me a draft electronic copy of the report 
for review. I received this draft report from the OIG during the National Special 
Security Events (“NSSEs”) in New York City associated with the Pope’s visit and 
the UN General Assembly. During the process of reviewing the draft, I was re- 
minded by a colleague that I had been informed of a rumor regarding the individ- 
ual’s application history on March 25. While I myself do not recall hearing of this 
rumor, several others have confirmed that I did, and that it was a general rumor 
about the individual’s past application; it did not relate to USSS employees improp- 
erly accessing databases or sharing protected information. In order to ensure accu- 
racy within the report, on my own initiative I contacted the OIG to correct the 
record. I did not make the decision to contact the OIG blindly and was fully aware 
that additional scrutiny would result from my doing so. I made this decision because 
I feel that it is important to be as forthcoming, accurate, and complete as possible. 
I expect this from my employees and expect nothing less from myself. 

The OIG published an addendum in October reporting its assessment of the up- 
dated information pertaining to when I was made aware of this rumor. Interviews 
with former directors, my deputy director, and my former chief of staff only serve 
to corroborate that the information available to me at the time was nothing more 
than a rumor. The information was not attributed to a Secret Service data system 
or indicative of any action — inappropriate or otherwise — by any Secret Service em- 
ployee. Nothing in the addendum contradicts what I have maintained from the be- 
ginning — that at no time prior to April 2, was I aware that potential misconduct 
could be the source of this rumor. When I did learn of it, I began taking immediate 
action, contacting the OIG and sending an official message to the workforce on the 
handling of sensitive information. 

FULFILLING THE INDEPENDENT PROTECTIVE MISSION PANEL’S RECOMMENDATIONS 

I would now like to turn to the actions we have taken to implement the rec- 
ommendations of the independent Protective Mission Panel (the “Panel”), which was 
established by Secretary Jeh Johnson following the events of September 19, 2014 
to undertake a broad review of the Secret Service’s protection of the White House 
complex. The Panel’s work, aided by full cooperation of the Secret Service and DHS, 
concluded with the publication of the Report from the United States Secret Service 
Protective Mission Panel to the Secretary of Homeland Security (the “Report”), issued 
on December 15, 2014. 

The Report memorialized the findings and recommendations of the Panel in three 
general areas: Training and Personnel; Technology, Perimeter Security, and Oper- 
ations; and Leadership. Upon receipt of the Report, the Secret Service acknowledged 
and accepted the Panel’s findings and recommendations. A number of the issues 
found in the review were recognized independently prior to the issuance of the Re- 
port and were being addressed, while those that remained were prioritized and in- 
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corporated into a strategic action plan designed to fully implement the Panel’s find- 
ings as time and resources permitted. 

I am proud to say that we have significantly altered the way the Secret Service 
is structured and managed since my return to the agency. We have also made 
strides in hiring new members of our workforce, and in expanding training opportu- 
nities for current members. I am also realistic in knowing that the changes we are 
making will take time to realize their full impact, particularly as they relate to 
staffing levels, and that we must continue to communicate these changes to our 
workforce. Some of the PMP recommendations will never be closed, as they require 
a commitment to on-going evaluation, innovation, and continuous improvement. I 
am hopeful that the structural changes we have made to the Secret Service will fos- 
ter an environment where this perspective is not only valued, but also encouraged. 
I am committed to this process and am certain that the Secret Service will emerge 
a stronger agency with the continued support of the Department, the administra- 
tion, and the Congress. 

Training and Personnel 

I recognized early on in my tenure that many of the most serious problems facing 
the Secret Service can be traced back to inadequate staffing levels. Achieving appro- 
priate staffing levels will allow the workforce to undertake a level of training com- 
mensurate with the mission and help to address the resultant effect on morale. 
Once underway, the process is, to some extent, self-repairing in that as morale im- 
proves, attrition rates will fall and staffing levels will continue to increase toward 
desired levels. 

In May 2015, to address staffing issues and following a wider professionalization 
initiative in which I placed civilian specialists in executive-level leadership posi- 
tions, I implemented a reorganization effort aimed at more efficiently recruiting and 
hiring special agents, Uniformed Division (“UD”) officers, and administrative, pro- 
fessional, and technical (“APT”) personnel. Both the Human Capital and Recruit- 
ment Divisions were closed and their collective responsibilities were redistributed to 
a number of new divisions. The Talent and Employee Acquisition Management Divi- 
sion (“TAD”) is one such division, and this reorganization has allowed its managers 
to focus exclusively on recruiting and hiring diverse applicants to fill special agent, 
UD, and APT positions. In the ensuing months, TAD has implemented a modern 
recruitment strategy, including embracing social media as a recruiting tool and 
budgeting fiscal year (“FY”) 2016 dollars towards an aggressive advertising cam- 
paign aimed at attracting qualified applicants to the agency. Further, in order to 
avoid bottlenecks and streamline the process of on-boarding qualified applicants, the 
Secret Service is hiring contractors to serve as a stop-gap solution for reviewing hir- 
ing qualifications through TAD and monitoring background investigations through 
the Security Clearance Division (“SCD”) until an adequate number of APTs can be 
hired and trained to perform these functions. 

Identifying our needs is a key element of supporting appropriate staffing levels 
because it drives our budget requests and justifications. In July, we completed the 
U.S. Secret Service Human Capital Plan for fiscal year 2015 through 2019. This 
foundational document identifies our strategy for increasing staffing levels, by ac- 
counting for mission, training, and work/life balance requirements. Consistent with 
the results of the PMP, our analysis suggests that staffing levels must significantly 
increase over the next 5 years to support not only our mission requirements but also 
our employee training and work/life balance needs. We look forward to continuing 
our work with the Department and Congress to secure the financial resources nec- 
essary to support these enhanced staffing levels. 

In response to the PMP recommendation that the Secret Service increase the 
number of personnel assigned to UD and the Presidential Protective Division 
(“PPD”), we worked closely with the Federal Law Enforcement Training Center 
(“FLETC”) to schedule 10 special agent classes with 195 agents and 8 UD classes 
with 151 officers in fiscal year 2015, a significant increase from years immediately 
preceding. Additionally, in fiscal year 2016, we have again asked FLETC for in- 
creased numbers of trainee classes and hope to bring 12 special agent and 12 UD 
classes on board this year. Today, the recommended personnel increase to PPD is 
substantially complete, while efforts to reach net gains that approach recommended 
levels in UD continue in the face of greater challenges with respect to attrition and 
retention. Given this challenge, the Secret Service recently introduced a UD reten- 
tion bonus and is engaged with the Department to develop additional programs de- 
signed to incentivize members of our talented workforce to refrain from separating 
prematurely from the agency. 

A number of the Panel’s recommendations were directed to training, including 
conducting integrated training in realistic conditions, and an increase in the overall 
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amount of training received by agents and officers assigned to protective functions. 
The Secret Service has worked diligently to implement integrated training between 
the various units assigned to the White House complex. Currently, 99% of UD offi- 
cers and technicians Have completed specially created “Emergency Action/Building 
Defense” training. Training for agents assigned to permanent protective details has 
also increased with special agents on the Presidential Protective Division receiving 
approximately 25% more training in fiscal year 2015 than in fiscal year 2014. In 
order to more realistically simulate the conditions in which our agents, officers, and 
technicians operate, our fiscal year 2016 budget request includes funds directed to 
the design and construction of a more permanent White House training facility. Ad- 
ditionally, as staffing levels increase, the number of training hours that personnel 
assigned to UD and protective details receive will continue to increase accordingly. 
I firmly believe that, given the nature of the Secret Service’s integrated mission, the 
importance of the amount and quality of training provided to our workforce cannot 
be overstated. 

Technology, Perimeter Security, and Operations 

For the purposes of today’s hearing, I will speak generally to the Panel’s rec- 
ommendations on technology and perimeter security. The Panel believed strongly, 
as do I, that operational issues related to the protection of the White House should 
not be the subject of a detailed public debate in their report or any other fora. I 
pledge to continue to provide you and your staffs with relevant information in the 
proper setting, at your request, as we move forward implementing these rec- 
ommendations. My No. 1 priority has been, and is, the protection of the President, 
Vice President, and their families. 

To address longer-range future technology needs, the Secret Service will continue 
to partner with the Department’s Science and Technology Directorate, the Depart- 
ment of Defense, and our partners in the intelligence community to ensure we are 
researching, developing, and deploying cutting-edge technology. 

The Secret Service has recognized the need for protective enhancements to the 
White House complex fence and is currently working with stakeholders to create a 
viable, long-term solution. This multi-phase project began with the formation of re- 
quirements that are guiding a formal study aimed at identifying various fence op- 
tions. These requirements encompassed security concerns identified by the Secret 
Service, including efforts to delay intruders, as well as aesthetic and historic con- 
cerns put forward by the National Park Service (“NPS”). 

Working at a highly accelerated pace with the National Capital Planning Commis- 
sion (“NCPC”), the U.S. Commission of Fine Arts, and the NPS, the Secret Service 
was able to not only secure approval for, but also complete the installation of an 
interim improvement to the fence that inhibits the ability of individuals to climb 
it. We also worked with NPS to complete a study to identify the options for perma- 
nent enhancements to perimeter security earlier this year. We are moving forward 
with the design phase of this project, and look forward to working with the NCPC 
to secure its approval in early 2016. 

Leadership 

The majority of the recommendations contained in the Report fell under the cat- 
egory of “Leadership.” Dynamic leadership that encourages open communication, re- 
wards innovation, values flexibility, rejects insularity, and embraces personal ac- 
countability is vital to the agency’s long-term success. Based upon the Panel’s re- 
view, and my own assessments, I implemented several leadership changes in the Se- 
cret Service executive management team earlier this year. These changes were nec- 
essary to gain a fresh perspective on how we conduct business. The Panel’s rec- 
ommendations on leadership have been incorporated into the strategic action plan 
referenced above. 

The Panel recommended that the agency should promote specialized expertise in 
its budget, workforce, and technology functions. This assessment has been em- 
braced, and, through a professionalization initiative, many executive positions for- 
merly held by career law enforcement agents are now held by civilians with the 
training and experience necessary to effectively guide an organization of this size. 
First and foremost, we established a new chief operating officer (COO) position, a 
non-law enforcement Senior Executive Service (SES)-level position that is equivalent 
to the deputy director. Along with the creation of this position, we elevated the Of- 
fice of the Chief Financial Officer (CFO ) to a directorate-level entity, created the Of- 
fice of Strategic Planning and Policy (OSP), and split the Office of Human Resources 
and Training (HRT) into two directorate-level offices — the Office of Human Re- 
sources (HUM) and the Office of Training (TNG). By splitting HRT into two direc- 
torates, we are expecting to achieve greater focus on two key areas of concern for 
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the PMP — staffing and training. In the revised organizational structure, the CFO, 
HUM, OSP, and the chief information officer (CIO) are now aligned under the COO. 
We will continue to evaluate our organizational structure and make changes where 
it is necessary. 

In addition to the structural changes, we used this opportunity to evaluate the 
skills required for directorate-level leadership positions to examine which would be 
best filled by non-law enforcement professionals. As a result of this examination, 
three of our ten directorates are led by non-law enforcement professionals, including 
the CFO, OSP, and our Office of Technical Development and Mission Support 
(TEC). Further, we have enhanced our executive-level perspective by appointing 
non-law enforcement professionals to the SES-level roles of CIO, deputy CIO, and 
component acquisition executive (CAE), and are in the process of hiring for a newly- 
created SES-level director of communications position. 

One of the principal responsibilities of the CFO has been to start the process for 
developing a zero-based budget as recommended by the panel. This enormous under- 
taking is underway, and it is my hope that a mission-based budget will begin to 
be implemented in the fiscal year 2018 budget cycle. Important steps have been 
taken in furtherance of this goal, including the development of the previously men- 
tioned Human Capital Plan, and benchmarking Secret Service analytical capabili- 
ties, staff resources, and planning activities with comparable organizations. 

A common theme within the panel’s recommendations on leadership was the need 
for improved internal and external communication. I wholly adopt this view and 
firmly believe that improved communication is directly related to increased effec- 
tiveness and morale. I have affirmed this priority to the executive management 
team, and my expectation and message to them is that they do the same within 
their directorates. The agency’s priorities have been communicated externally 
through active engagement with the Department, the administration, and Congress. 
This outreach will continue, and future operational and managerial decisions will 
be guided by these priorities. 

Internally, I have personally visited many of our field offices, all former Presi- 
dential protective details, and conducted video-conferenced town hall meetings with 
the agency’s workforce. I have joined officers and agents at the White House com- 
plex and the Vice-President’s residence during their daily roll call. Earlier this year, 
I met with field supervisors for an Investigative Issues Focus Group to obtain a bet- 
ter understanding of the issues and concerns of the agents in the field. I plan to 
continue to have an open and honest conversation with members of our workforce 
about their concerns and discuss what I can do to address them. 

As part of our outreach to employees, we conducted a Work/Life Assessment 
through a third-party contractor. The results of the 47 focus groups conducted under 
this effort provided us with a roadmap that allowed us to identify and begin to act 
upon the concerns of our workforce. In terms of delivering information, we have 
started sending important email messages to affected employees’ individual inboxes, 
which allows them much easier access to information than was previously available 
only via official messages accessible exclusively through a networked connection to 
the Secret Service email server. Additionally, we have started to leverage multi- 
media in our approach, including creating videos to communicate major policy 
changes and initiatives. Finally, just weeks ago, we launched a new web-based plat- 
form, Spark!, which we expect will enhance two-way communication between the 
workforce and leadership by providing a forum to raise ideas, suggestions, and con- 
cerns. Employees should have every assurance that I will continue to work to share 
information and feel it is my responsibility to find solutions to the issues or concerns 
they voice. 

Accountability is another issue that I believe the Panel was rightly focused on due 
to its effects on workforce morale and operational readiness. Even before the Panel 
issued its recommendations, as a result of a number of incidents involving personal 
conduct, my predecessors had already taken important steps to address these issues. 
These steps were intended to increase transparency, consistency, and fairness in 
disciplinary actions and included the following: 

• A Professionalism Reinforcement Working Group (“PRWG”) was initiated to 
conduct an objective and comprehensive review of the agency’s values and pro- 
fessional standards of conduct; 

• As a result of the PRWG, we created and published a comprehensive ethics 
guide, initiated an active schedule of ethics training, conducted integrity train- 
ing, and implemented a new centralized disciplinary policy including a Table of 
Penalties (issued on 11/15/2013); 

• An “Inspection Hotline” was created and prominently displayed on the Secret 
Service’s Intranet Home page for employees to report misconduct to the Secret 
Service Office of Professional Responsibility or the DHS OIG and allow the 
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agency or the Department to initiate swift investigative or administrative ac- 
tion; 

• Extensive training requirements for new supervisors were created. Training in- 
cludes mandatory completion of the DHS leadership development program and 
the agency’s 40-hour, classroom-based Management and Emerging Leaders sem- 
inars. The requirements also include the assignment of a senior-level mentor to 
guide supervisors in the first year of their assignment; 

• The chief integrity officer position was established, and we reinforced the impor- 
tance of leadership and accountability with supervisors and provided develop- 
mental training to over 5,000 employees; and 

• The ITG created a Discipline Analysis Report for Calendar Year 2014, which 
we posted for all employees to view on our intranet site. The posting of this re- 
port was the first time the Secret Service made this type of data available for 
review by the workforce and underscores our commitment to support a culture 
of transparency within our workforce. We made this decision in response to the 
concerns raised by the workforce regarding the consistency and fairness of our 
discipline process. 

As recommended by the Panel, we firmly believe that we can further enhance and 
improve our performance by partnering with other organizations to collect their best 
practices and leverage their knowledge. We have greatly expanded our outreach ef- 
forts to learn from the Department of Defense and intelligence community, particu- 
larly in the areas of training and technology. 

In the area of training, the Secret Service completed a number of joint training 
exercises with entities that included representatives from the military, Federal, 
State, and local law enforcement and other protective agencies. Our employees bene- 
fited from the perspective of the Department of Defense community during training 
opportunities at their facilities. In other cases, like the security planning and prepa- 
ration preceding the Papal visit last month, our employees had a chance to examine 
protective methodologies while observing security officials from the Vatican. These 
efforts were in addition to the opportunity to work with the security personnel who 
traveled with the world leaders that attended the 70th United Nations General As- 
sembly. 

The Secret Service also has benefited from both existing and newly-established re- 
lationships within the interagency and intelligence communities and with the De- 
partment of Defense related to technology. A few examples where we are currently 
leveraging these relationships include the challenges with unmanned aerial vehicles 
(“UAV”) and gunshot detection. 

While the above summarizes our activities in a number of areas, the totality of 
the actions we have taken since receiving the recommendations of the PMP is sub- 
stantial. Secret Service employees at every level have been working hard not only 
to support our mission requirements, but also to establish the foundation for signifi- 
cant changes that will positively impact the Secret Service over the long-term. 

MISSION EXCELLENCE 

In addition to working on the implementation of the Panel’s recommendations, 
one of my biggest priorities over the past year has been to restore the Secret Serv- 
ice’s reputation of mission excellence. Thousands of special agents, uniformed offi- 
cers, and civilian staff successfully fulfill the integrated mission of this agency every 
day throughout the world. 

It is important to remember that protection is only a portion of the integrated 
mission of the Secret Service. The expertise, maturity, and judgment special agents 
develop as criminal investigators conducting counterfeit currency, financial, or cyber 
crime investigations are essential to the extremely critical and demanding work of 
protecting our Nation’s highest elected leaders, as well as those world leaders who 
travel to our country. 

Just 2 months ago, members of the Secret Service came together from field offices 
across the country and throughout the world to successfully execute security plans 
at 4, near-simultaneous NSSEs while also protecting President Xi Jingping of China 
during his first state visit to the United States. The planning for the 4 NSSEs 
spanned over 8 months. This is the first time in the history of the agency — or this 
country — that such a feat has been accomplished. 

The 4 NSSEs involved a monumental three city tour of Pope Francis to Wash- 
ington, DC, Philadelphia, PA, and New York, NY, as well as the 70th United Na- 
tions General Assembly. Agency personnel coordinated security plans for the Presi- 
dent, Vice-President, Pope, and approximately 160 heads of state and over 80 
spouses. 
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In addition to honing personnel who are able to serve as specialists in the plan- 
ning and staffing of protective operations, the integrated mission serves another 
purpose. Agents in the field also forge strong relationships with local law enforce- 
ment partners in investigations that pay dividends when we need their assistance 
during a protective visit. The Secret Service has long recognized that partnerships 
and cooperation act as force multipliers in both our protective and investigative mis- 
sions. In this instance, with the need for critical support from State and local part- 
ners, these relationships proved to be invaluable. 

Plans for the NSSEs in September involved bringing together 2,500 additional 
Federal law enforcement officers from other Federal agencies, the support of dozens 
of State and local law enforcement organizations, screening over 1 million people, 
and securing over 25 individual sites including the United States Capitol, Central 
Park and Madison Square Garden in New York, and the Benjamin Franklin Park- 
way in Philadelphia. At the same time, preparations were underway and continue 
to be developed for upcoming Presidential trips with multiple stops in Asia, Presi- 
dential and Vice-Presidential candidate protection, the two National political con- 
ventions, and Presidential and Vice-Presidential debate sites. 

In addition to the 4 NSSEs, the Secret Service in fiscal year 2015 conducted over 
6,245 protective visits. Protective details and field agents ensured protection for over 
5,981 domestic stops and approximately 264 international stops. The Secret Service 
Uniformed Division completed more than 677 magnetometer/X-ray operations as- 
signments, and screened more than 2,742,620 members of the public. The Secret 
Service stopped approximately 2,847 weapons at magnetometer checkpoints from 
entering secure venues. The protective mission was also supported by over 6,617 
protective surveys and approximately 136 protective intelligence arrests. 

Additionally, Secret Service investigations continue to produce Nationally and 
internationally significant results, much of them in strong coordination with the De- 
partment of Justice, other law enforcement agencies, and our public- and private- 
sector partners. Two recent cases exemplify the work our agents do daily, in order 
to protect our Nation’s financial infrastructure. 

In October, the Secret Service worked to apprehend and extradite yet another al- 
leged cyber criminal — Sergey Vovnenko. Vovnenko is charged with conspiring to 
hack into the computer networks of individual users and corporations to steal log- 
in credentials and payment card data. According to the indictment, for almost 2 
years, Vovnenko and his conspirators operated an international criminal organiza- 
tion that stole data, including user names and passwords for bank accounts and 
other online services, as well as debit and credit card numbers and personally iden- 
tifiable information. To carry out this crime, Vovnenko allegedly operated a “botnet” 
of more than 13,000 computers infected with malicious computer software pro- 
grammed to gain unauthorized access to other computers and to identify, store, and 
export information from hacked computers. 

In the same week that Vovnenko appeared in Federal court in Newark, the Secret 
Service, in coordination with its partners in the Peruvian National Police, arrested 
4 suspects with ties to the production and transportation of counterfeit U.S. cur- 
rency. At the time of the arrests, the suspects were traveling to the airport en route 
the United States and allegedly possessed close to $850,000 of counterfeit U.S. cur- 
rency skillfully secreted in suitcase liners. According to Secret Service records, one 
of the particular types of counterfeit notes seized in this case has a passing history 
exceeding $34 million dating back to 2009. These are just two examples of the agen- 
cy’s highly successful investigative work for which hard-working personnel should 
be commended. 


CONCLUSION 

As I look back over the past year, I see an agency in the midst of reform. I wish 
that people could walk in my shoes for a day and see what I see — a workforce with 
an uncompromising sense of duty and commitment to its integrated mission. 

Recently, the Secret Service lost a remarkable leader and true friend in former 
Assistant Director Jerry Parr. Jerry is widely known for the decisive actions taken 
during the March 30, 1981 assassination attempt on President Ronald Reagan. The 
decisions he made that day, including evacuating the President directly to the hos- 
pital, likely saved the life of the President. As I reflected on his passing, I had the 
opportunity to review a speech he made to a graduating special agent training class 
in 1994. In that speech he spoke of culture. He said: 

“An organizational culture is a product of time, successes, sufferings, failures, and 
just plain hard work. After a hundred years or so, deep roots are developed, and 
a corporate memory evolves. While another agency can purchase persons, equip- 
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ment, and technology similar to the Secret Service, it cannot buy this corporate 
memory. This is a priceless commodity.” 

As the men and women of this agency traverse these challenging times, I am 
heartened by the corporate memory of this great organization. I am confident that 
through unparalleled dedication of our personnel, and the actions we are taking to 
reform and improve, the Secret Service will meet the standard of excellence that we 
have established over our history and which our Nation’s leaders and the American 
people rightly expect of us. 

Chairman Lankford, Chairman Perry, Ranking Member Heitkamp, and Ranking 
Member Watson Coleman, this concludes my written testimony. I welcome any 
questions you have at this time. 

Mr. Perry. Thank you, Mr. Clancy. 

The Chair now recognizes Mr. Roth for an opening statement. 

STATEMENT OF JOHN ROTH, INSPECTOR GENERAL, OFFICE 

OF INSPECTOR GENERAL, U.S. DEPARTMENT OF HOMELAND 

SECURITY 

Mr. Roth. Chairmen Lankford, Perry, and Johnson, Ranking 
Members Heitkamp, Watson Coleman, and Thompson and Mem- 
bers of the subcommittee, thank you for inviting me here today to 
testify. 

We have conducted a number of investigations, audits, inspec- 
tions of Secret Service programs and operations, and we have a 
number of on-going projects. My written testimony describes some 
of that work and discusses its implications. 

For my oral remarks, I will discuss our investigation into the al- 
legations that the Secret Service agents improperly accessed a re- 
stricted database to discover details about Chairman Jason 
Chaffetz’ application to the Secret Service, as well as some other 
on-going work. 

We found that the Chaffetz application entry contained within a 
Secret Service database called the Master Central Index was 
accessed by Secret Service employees on approximately 60 occa- 
sions between March 25 and April 2 of this year. We concluded 
that the vast majority of those who accessed the information did 
so in violation of the Privacy Act of 1974, as well as Secret Service 
and DHS policy. 

We identified one individual who acknowledged disclosing infor- 
mation protected by the Privacy Act to an outside source. However, 
because the number of individuals with access to this information 
was so great, we were unable to identify others who may have dis- 
closed protected information to third parties. 

We found that the access began minutes after Director Clancy 
began testifying before the Committee on Oversight and Govern- 
ment Reform on March 24, and continued in the days following. 
Knowledge of Chairman Chaffetz’ application was wide-spread and 
fueled and confirmed by improper access to the Secret Service data- 
base at issue. 

We found that a number of senior managers knew agents were 
accessing the MCI improperly and some of them accessed it them- 
selves. Other senior managers were aware that Chairman Chaffetz 
once had applied at the Secret Service but they apparently did not 
comprehend the seriousness of what was developing. As a result, 
no one acted until it was too late to stop this unauthorized and un- 
lawful activity. 
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Our investigation also revealed that the MCI, a case manage- 
ment tool implemented in 1984, did not have the audit and access 
controls of a modern IT system or appropriately segregate informa- 
tion. Such controls and segregation may have prevented or at least 
minimized the behavior we discovered. 

This also appears to run counter to the Privacy Act which re- 
quires agencies to establish appropriate administrative, technical, 
and physical safeguards to ensure the safety and — I am sorry, the 
security and confidentiality of the records. 

Additionally, the Secret Service must ensure that only relevant 
records are maintained in these types of databases. The Privacy 
Act requires that the agency maintain its records only such infor- 
mation about an individual as is relevant and necessary to accom- 
plish a purpose of the agency. 

The fact that the MCI had records of an unsuccessful application 
from 12 years earlier which contained sensitive information, the 
disclosure of which could lead to identity theft, may violate this 
provision of the Privacy Act. 

Finally, although all agents were trained in the use of the system 
and received yearly refresher training, it was apparent that many 
of the agents disregarded that training. 

The Secret Service recently reported that it retired the MCI and 
migrated all data to about 5 other Secret Service information sys- 
tems in September 2015. Our Office of Information Technology Au- 
dits is currently conducting a technical security assessment of the 
information systems that the Secret Service now uses to store and 
retrieve this information. We expect to complete that assessment 
and issue a final report in February 2016. 

Over the past year-and-a-half as part of our independent over- 
sight effort, we have investigated various incidents involving alle- 
gations of misconduct by Secret Service employees and other issues 
related to the Secret Service’s organization and mission. The re- 
sults of our investigation and reviews point to on-going organiza- 
tional and management challenges. The Secret Service has cer- 
tainly taken steps to address these challenges but not always suc- 
cessfully. 

Additionally, we are reviewing 3 incidents involving potential se- 
curity lapses. For each incidence — incident — shots being fired at 
the White House from Constitution Avenue, an intruder jumping 
over the fence and entering the White House, an armed guard com- 
ing in close proximity to the President — we are determining wheth- 
er the Secret Service followed its own protective policies, what ac- 
tions were taken to correct, identify deficiencies and whether these 
corrections were adequate. 

The ultimate aim of our review is to determine and understand 
the root causes of these lapses. This fiscal year we plan to issue 
3 reports on these incidents, as well as a capping report that iden- 
tifies the root causes and includes any other necessary overarching 
recommendations. 

Mr. Chairman, this concludes my prepared statement. I welcome 
any questions you or any other Members of the subcommittees may 
have. 

[The prepared statement of Mr. Roth follows:] 
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Prepared Statement of John Roth 
November 17, 2015 

Chairmen Lankford and Perry, Ranking Members Heitkamp and Watson Cole- 
man, and Members of the subcommittees: Thank you for inviting me here today to 
discuss our on-going work involving the United States Secret Service (Secret Serv- 
ice) and its Government-wide implications. We have conducted a number of inves- 
tigations, audits, and inspections of Secret Service programs and operations, and we 
have a number of on-going projects. My testimony today will describe some of that 
work and discuss its implications. 

ALLEGATIONS CONCERNING ACCESS TO CHAIRMAN CHAFFETZ’ APPLICATION FILE 

As a result of our investigation, we determined that a Secret Service database 
containing sensitive personally identifiable information pertaining to Congressman 
Jason Chaffetz, Chairman of the House Committee on Oversight and Government 
Reform, was accessed by Secret Service employees on approximately 60 occasions 
between March 25 and April 2 of this year. 1 We concluded that a vast majority of 
those who accessed the information did so in violation of the Privacy Act of 1974 
(Privacy Act), as well as Secret Service and Department of Homeland Security 
(DHS) policy. We also identified one individual who acknowledged disclosing infor- 
mation protected by the Privacy Act to an outside source. However, because the 
number of individuals with access to this information was so great, we were unable 
to identify others who may have disclosed protected information to third parties. 

We found that the access began minutes after Director Clancy began testifying 
before the Committee on Oversight and Government Reform on March 24 and con- 
tinued in the days following. Knowledge of Chairman Chaffetz’ application was 
widespread and was fueled and confirmed by improper access to the Secret Service 
database at issue, the Master Central Index (MCI). 

We found that a number of senior managers knew agents were accessing the MCI 
improperly. For example, the special agent in charge of the Washington Field Office 
(WFO) became aware on or about March 25 that several of her mid-level WFO su- 
pervisors had accessed or were aware of the Chaffetz record, and she directed her 
subordinates to cease any further access of the MCI record. No other Secret Service 
personnel at WFO accessed the Chaffetz record after that date, but 25 others 
around the country did. Likewise, Deputy Assistant Director Cynthia Wofford of the 
Office of Strategic Intelligence and Information recalled hearing rumors of the 
Chaffetz application during the director’s March 24 testimony. After unsuccessfully 
searching the internet for confirmation of the rumor, Wofford accessed the MCI on 
the morning of March 25 and found the Chaffetz record. She attempted to bring this 
to the attention of Deputy Director Magaw, but he told her that he already knew 
about it. 

However, other senior managers were aware that Chairman Chaffetz had once ap- 
plied to the Secret Service, but they apparently did not comprehend the seriousness 
of what was developing. None of the senior managers apparently understood that 
the rumors were being fueled and confirmed by numerous agents who improperly 
accessed the protected MCI record of the Chaffetz application. As a result, no one 
acted, until it was too late, to stop this unauthorized and unlawful activity. 

Our investigation also revealed that the MCI, a case management tool imple- 
mented in 1984 to facilitate the Secret Service’s investigative process, did not have 
the audit and access controls of a modern information technology (IT) system or ap- 
propriately segregate the information. Such controls and segregation may have pre- 
vented or minimized the behavior we discovered. This also appears to run counter 
to the Privacy Act, which requires agencies to “establish appropriate administrative, 
technical, and physical safeguards to insure the security and confidentiality of 
records.” 

Additionally, the Secret Service must ensure that only relevant records are main- 
tained in these types of databases. The Privacy Act requires that an agency “main- 
tain in its records only such information about an individual as is relevant and nec- 
essary to accomplish a purpose of the agency required to be accomplished.” The fact 
that the MCI had records of an unsuccessful application from 12 years earlier, 
which contained sensitive information the disclosure of which could lead to identity 
theft, may violate this provision of the Privacy Act. Finally, although all agents 
were trained on use of the system and received yearly refresher training, it was ap- 
parent that many of the agents disregarded that training. 


1 Memorandum, "Investigation into the Improper Access and Distribution of Information Con- 
tained Within a Secret Service Data System” (September 25, 2015). 
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Our Office of Information Technology Audits is currently conducting a technical 
security assessment of the information systems the Secret Service now uses to store 
and retrieve investigative and criminal history information. The Secret Service re- 
cently reported that it retired the MCI and migrated all data to about 5 other Secret 
Service information systems in September 2015. The objectives of our technical as- 
sessment are to verify that the MCI is no longer in use, identify which systems cur- 
rently house MCI data, determine the level of physical and system controls imple- 
mented to secure the data from further instances of unauthorized access, and iden- 
tify gaps in the security posture. We also intend, to the extent possible, to under- 
stand the security weaknesses in the MCI when it was operational. We expect to 
complete our assessment and issue a final report in February 2016. 

PREVIOUS ALLEGATIONS OF EMPLOYEE MISCONDUCT 

Over the past several years, as part of our independent oversight effort, we have 
investigated various incidents involving allegations of misconduct by Secret Service 
employees. We have also reviewed other issues related to the Secret Service’s orga- 
nization and mission that raised the concern of Congress and the public. In sum, 
the results of our investigations and reviews, as well as other incidents we were 
made aware of, point to some on-going organizational and management challenges. 
The Secret Service has certainly taken steps to address these challenges, but not 
always successfully. These persistent challenges may not be easy to resolve through 
expeditious action, such as suspending employees and issuing new guidance. They 
may require more fundamental change that addresses the root cause of the mis- 
conduct. 

Allegation Into Agent Misconduct at the White House Complex on March 4, 2015 

We reviewed the actions of two Secret Service agents who on the evening of 
March 4 had entered an area that had been secured as a result of a suspicious pack- 
age. 2 We concluded that it was more likely than not that both agents’ judgment was 
impaired by alcohol. We found that, notwithstanding their denials, both agents were 
observed by uniformed officers as “not right,” and “not making sense,” had just 
spent the previous 5 hours in a restaurant/bar in which one ran up a significant 
bar tab, and that they drove into a crime scene inches from what the rest of the 
Secret Service was treating as a potential explosive device and which, under dif- 
ferent circumstances, could have endangered their own lives and those of the Uni- 
formed Division (UD) officers responding. 

While each agent had a duty to report the incident to his superior, neither did 
do so. We found that their failure to do so reflected either poor judgment or an af- 
firmative desire to hide their activities. 

Allegation Into Misuse of Government Resources to Conduct Employee Protection Op- 
erations 

We also investigated an allegation that under an operation called “Operation 
Moonlight” Secret Service personnel and resources were directed to conduct surveil- 
lance and records checks unrelated to the Secret Service’s mission. 3 The complaint 
alleged that Secret Service agents were instructed to use law enforcement databases 
and conduct rotating surveillance shifts on a neighbor of the then-Executive Staff 
Assistant to the former Secret Service Director. We did not find any instances in 
which Secret Service agents approached the neighbor, nor could we conclude that 
the neighbor’s house was ever under direct surveillance. 

Our ensuing investigation, however, revealed that personnel and database re- 
sources were misused when Washington Field Office “Prowler” teams periodically 
checked on the executive staff assistant at her residence for about 1 week in early 
July 2011. Our investigation also showed these checks were initiated in response 
to a private dispute and did not occur in the course of official duties or as a result 
of the executive staff assistant’s position. In addition, we determined that the Prowl- 
er team agents were not investigating a potential assault on the executive staff as- 
sistant; the agents commonly described undertaking the checks because of an issue 
she was having with her neighbor. 

Secret Service personnel told us that the Prowler team checks did not divert re- 
sources from essential functions and responsibilities or negatively impact the Secret 
Service’s mission. However, the checks on the executive staff assistant in La Plata, 
Maryland — a 45-minute drive from the White House — diverted Prowler personnel 


2 Memorandum, “Investigation Into the Incident at the White House Complex on March 4, 
2015” (May 6, 2015). 

3 Memorandum, “Allegations of Misuse of United States Secret Service Resources” ( October 17, 
2014). 
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from the White House area and its surroundings when, on 4 of 5 identified days, 
the President was departing, arriving, or at the White House. 

Allegations of Secret Service Misconduct in Cartagena , Colombia 

We also investigated allegations that, in April 2012, during preparations for Presi- 
dent Obama’s visit to Cartagena, Colombia, Secret Service agents solicited pros- 
titutes and engaged in other misconduct. 

During our investigation, we independently identified Secret Service personnel 
who directly supported the Cartagena visit and other potential witnesses who may 
have had information about the Cartagena trip. We identified the personnel directly 
involved in the incident, as well as the potential witnesses, through documentary 
sources, including official travel records, hotel registries, country clearance cables, 
personnel assignments, and Secret Service and U.S. Embassy records. 

As part of our investigation, we conducted 283 interviews of 251 Secret Service 
personnel. Based on our interviews and review of records, we identified 13 Secret 
Service employees who had personal encounters with female Colombian nationals 
consistent with the misconduct reported. We determined that one of the female Co- 
lombian nationals involved in the incident was known to the intelligence commu- 
nity. However, we found no evidence that the actions of Secret Service personnel 
had compromised any sensitive information. 

Our investigation determined that 12 Secret Service employees met 13 female Co- 
lombian nationals at bars or clubs and returned with them to their rooms at the 
Hotel Caribe or the Hilton Cartagena Hotel. In addition, one Secret Service em- 
ployee met a female Colombian national at the apartment of a Drug Enforcement 
Administration special agent. We interviewed the remaining 12 Secret Service em- 
ployees who had personal encounters with the 13 female Colombian nationals. 
Through our interviews, we learned that following their encounters, 3 females left 
the rooms without asking for money, 5 females asked for money and were paid, and 
4 females asked for money but were not paid. In addition, 1 female, who asked to 
be paid but was not, brought a Colombian police officer to the door of the Secret 
Service employee’s room; the employee did not answer the door. As a result, she was 
paid by another Secret Service employee and left. A fourteenth Secret Service em- 
ployee, who the Secret Service initially identified as involved in the misconduct, was 
subsequently determined to have been misidentified. 

Of the 13 employees accused of soliciting prostitutes in Cartagena, 3 were re- 
turned to duty with memoranda of counseling, after being cleared of serious mis- 
conduct. Five employees had their security clearance revoked because they either 
knowingly solicited prostitutes, demonstrated lack of candor during the investiga- 
tion, or both. Five employees resigned or retired prior to the adjudication of their 
security clearance. Several of these last 5 employees appealed their adverse per- 
sonnel actions to the United States Merit Systems Protection Board. 

After the incident, the Secret Service issued new guidance regarding personal be- 
havior, including a directive amending standards of conduct with additional policies 
about off-duty conduct, briefings, and supervision on foreign trips. 

Other Misconduct by Secret Service Employees 

Although we did not investigate them, 6 incidents that occurred between June 
2013 and June 2014 highlighted questionable conduct by Secret Service employees 
that affected the Secret Service’s protective function. These incidents took place 
after the Secret Service instituted new policies (in April 2012) on alcohol use, includ- 
ing prohibiting use within 10 hours of reporting for duty and prohibiting drinking 
at the protectee’s hotel once a protective visit has begun (but permitting drinking 
“in moderate amounts” while off-duty during a protective mission). 

• In June 2013, 2 UD officers were found to have consumed alcohol during an 
overseas mission, in violation of the 10-hour rule regarding alcohol consump- 
tion. One of the officers, a second-time offender, handled his rifle while under 
the influence of alcohol. He received a 28-day suspension; the other officer re- 
ceived a 7-day suspension. 

• In November 2013, a supervisory agent was involved in an incident at the Hay 
Adams hotel in Washington, DC. The supervisor began conversing with a 
woman at the hotel bar and later accompanied the woman to her room. The 
woman solicited the help of hotel security when she wanted the agent to leave 
her room, reporting that he had a gun and she was frightened. The agent left 
the room without incident. The Secret Service conducted an inquiry and issued 
a letter of reprimand to the agent. 

• In December 2013, 4 UD officers were found to have consumed alcohol during 
a layover on an overseas mission, in violation of the 10-hour rule regarding alco- 
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hoi consumption. Four of these officers were issued letters of reprimand; the 
fifth, a second-time offender, was issued a 14-day suspension. 

• In March 2014, a UD officer was involved in a car accident while driving a Gov- 
ernment-rented vehicle during official travel supporting a Presidential visit. The 
officer was found to have consumed alcohol in the hours preceding the accident, 
in violation of the 10-hour rule regarding alcohol consumption. The officer was 
ultimately served with a 7-day suspension. This officer was one of 10 others 
who were out together the evening before the accident. Three of the other offi- 
cers violated the 10-hour rule and a fourth misused a Government-rented vehi- 
cle. These officers were issued suspensions ranging from 14 days to 35 days. 
One of the officers resigned. 

• In March 2014, an agent was sent back to Washington, DC, after he was found 
unconscious outside his hotel room in The Hague, Netherlands, while on official 
travel. When interviewed, the agent said he went out to dinner at a restaurant 
with other Secret Service personnel, during which he had several drinks. After 
dinner, he and two other agents had several more drinks. The agent could not 
remember leaving the restaurant or how he got back to his hotel. All three 
agents were found to have violated the 10-hour rule regarding alcohol consump- 
tion. The agent who was found unconscious resigned from the Secret Service. 
The other two agents were issued suspensions of 28 days and 30 days. 

• In June 2014, a UD officer flying while armed with his Secret Service-issued 
handgun consumed 2 beers within the 10 hours prior to his flight. He consumed 
1 beer at the airport bar after checking in with the gate agent as an armed law 
enforcement officer. He was issued a 14-day suspension. 

REVIEW OF SYSTEMIC EMPLOYEE MISCONDUCT ISSUES 

Although after the Cartagena incident, the Secret Service investigated the allega- 
tions of misconduct, took action against the employees involved, and issued new 
guidance on personal behavior, other underlying issues arose during our investiga- 
tion. In particular, when asked how the Secret Service dealt with misconduct allega- 
tions in general, some employees alleged there was a culture of retaliation and dis- 
parate treatment of employees, including directed punishment toward complainants 
and those voicing concerns about Secret Service programs and operations. Secret 
Service staff reported that the resulting culture may have adversely impacted the 
employee retention rate. Individuals we interviewed also reported that Secret Serv- 
ice officials “whitewashed” allegations of employee misconduct, effectively 
downplaying and underreporting complaints to the Office of Inspector General (OIG) 
so they would appear to be administrative and not potentially criminal. These ac- 
tions would, in turn, cause the allegations to be returned to Secret Service internal 
affairs for inquiry instead of OIG accepting them for investigation. 

We decided to further examine these more general allegations, which pointed to 
potentially more wide-spread problems. In December 2013, we issued a report on 
our review of the Secret Service’s efforts to identify, mitigate, and address instances 
of misconduct and inappropriate behavior. In our report, we described a situation 
in which many employees were hesitant to report off-duty misconduct either because 
of fear that they would be retaliated against or because they felt management would 
do nothing about it. For example, in response to one survey question, 56 percent 
of electronic survey respondents indicated that they could report misconduct without 
fear of retaliation, meaning that almost half of the workforce may have feared retal- 
iation for reporting misconduct. 

In our survey, we also questioned employees about reporting excessive alcohol 
consumption. Of the 138 electronic survey respondents who personally observed ex- 
cessive alcohol consumption, 118 (86 percent) indicated they did not report the be- 
havior. Respondents could select multiple reasons for not reporting the behavior. 
Some frequently cited reasons included: 

• 66 respondents (56 percent) indicated the employee engaged in the behavior 
while off-duty. 

• 55 respondents (47 percent) did not believe that management supported employ- 
ees reporting the behavior. 

• 47 respondents (40 percent) were afraid of reprisal or retaliation. 

Additionally, we reported that the Secret Service often administered penalties 

that were less severe than the range of recommended penalties at other Department 
law enforcement components. We compared the Secret Service’s disciplinary re- 
sponse for specific infractions to penalties for similar infractions at U.S. Immigra- 
tion and Customs Enforcement (ICE), the Transportation Security Administration 
(TSA), and U.S. Customs and Border Patrol (CBP). 
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From 2004 to 2013, the Secret Service administered discipline for a single offense 
to one-time offenders 341 times. Most of the time, the Secret Service imposed less 
severe penalties than one or more of these components. Specifically: 

• In 265 of the 341 instances (78 percent), the Secret Service administered less 
severe discipline than one or more of TSA’s, ICE’s, and CBP’s tables of penalties 
showed those components would have administered. In 141 of these 265 in- 
stances (53 percent), the Secret Service administered less severe discipline com- 
pared to all three components’ tables of penalties. 

• For the remaining 76 of the 341 instances (22 percent), the Secret Service ad- 
ministered discipline within or above what TSA’s, ICE’s, and CBP’s tables of 
penalties showed those components would have administered. 

As a result of our findings, we identified areas in which the Secret Service needed 
better management controls for reporting misconduct or inappropriate behavior and 
adjudicating and administering disciplinary actions. We made 14 recommendations 
to improve the Secret Service’s processes for identifying, mitigating, and addressing 
instances of misconduct and inappropriate behavior. Additionally, we suggested the 
Secret Service continue to monitor and address excessive alcohol consumption and 
personal conduct within its workforce. 

The Secret Service concurred with all 14 recommendations and implemented 
changes to its discipline program. Among the improvements, the Secret Service cre- 
ated a table of penalties for determining appropriate corrective, disciplinary, or ad- 
verse actions for common offenses and established a centralized process within 
headquarters for determining and implementing discipline for employee misconduct. 
Because the Secret Service reformed its administrative discipline process after our 
report was issued, we are unable to determine the extent to which the pattern of 
imposing less severe discipline continues. 

Correcting underlying shortcomings in the discipline process and ensuring fair 
and consistent discipline are vital to the stability of any organization. As part of our 
performance plan for fiscal year 2016, we intend to evaluate the strength of the De- 
partment’s disciplinary processes. We will focus on the depth and breadth of employ- 
ees’ perceptions and attitudes about misconduct and the application of discipline, 
DHS’s established rules of conduct, and the application of discipline across the De- 
partment. 

OTHER AUDIT AND INSPECTION WORK INVOLVING SECRET SERVICE PROGRAMS AND 

OPERATIONS 

We have also conducted several audit and inspection reports regarding Secret 
Service programmatic responsibilities, outside the area of employee misconduct. 

Management Alert on UD Officer Fatigue 

We recently issued a management alert in which we identified UD officer safety 
issues that impact officer safety and the Secret Service’s ability to meet its mission. 

Specifically, during a site visit for an unrelated audit, we observed two UD offi- 
cers sleeping at their posts. Fatigue from travel, overtime shifts, and long hours con- 
tributed to these incidents. The Secret Service referred both officers for disciplinary 
action. We brought this matter to the attention of the Secret Service because of our 
concern that the staffing and scheduling process does not ensure officers have ade- 
quate breaks while on duty and time off between shifts. The Protective Mission 
Panel report, produced after the fence-jumping incident, raised concerns that the 
UD was inadequately staffed, necessitating significant overtime. We are concerned 
that the situation has not improved since that report was issued in December 2014. 

Inoperable Alarm at Protectee’s Residence 

In October 2014, we visited former President George H.W. Bush’s Houston resi- 
dence in response to a complaint alleging alarms were inoperable. During our visit, 
we identified issues with the alarm system at the residence. 

Specifically, an alarm, which had been installed around 1993, had been inoperable 
for at least 13 months. During this time, the Secret Service created a roving post 
to secure the residence, but the Secret Service could not determine the exact time 
period between when the alarm failed and the roving patrol started. We did not 
identify any security breaches that occurred. However, we found problems with 
identifying, reporting, and tracking alarm system malfunctions, and with repairing 
and replacing alarm systems. Secret Service officials also told us about security 
equipment problems, including the need for substantial repairs and improvements, 
at other residences of former Presidents. 
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FUTURE OIG WORK RELATED TO THE SECRET SERVICE 

In addition to the work we have already completed, we intend to conduct audits 
or evaluations of a number of other Secret Service programs and operations: 

• On-going Reviews of Three Security Lapses. — We are reviewing three incidents, 
one from November 2011 and two more that took place in September 2014, all 
of which highlight security lapses that raise serious concerns about the Secret 
Service’s ability to accomplish its protective mission. For each incident — shots 
being fired at the White House from Constitution Avenue in November 2011, 
an intruder jumping over the fence and entering the White House in September 
2014, and an armed guard coming in close proximity to the President in Sep- 
tember 2014 — we are determining whether the Secret Service followed its own 
protective policies, what actions were taken to correct identified deficiencies, 
and whether these corrections were adequate. The ultimate aim of our reviews 
is to determine and understand the root causes of these lapses, which may point 
to more fundamental and on-going challenges to the Secret Service’s mission. 
This fiscal year, we plan to issue three reports on these incidents, as well as 
a capping report that identifies root causes and includes any other necessary, 
overarching recommendations. 

• Radio Communications. — We are completing an audit to determine the ade- 
quacy of Secret Service radio communications. We will be recommending that 
the Secret Service upgrade its existing radio communication systems and de- 
velop a strategy and time line to continuously upgrade radio communication 
systems. 

• Protective Mission Panel Recommendations. — This fiscal year, we plan to assess 
the implementation status of recommendations from the Protective Mission 
Panel to the Secret Service resulting from the September 2014 fence jumping 
incident. 

• Security Clearances. — In response to a Congressional request, we will examine 
the Secret Service’s practices of hiring and deploying personnel without com- 
pleting the security clearance process. Specifically, we will review the process 
of granting waivers for personnel to begin work without completing the security 
clearance process, and the safeguards the Secret Service uses to ensure that 
those personnel are not given access to Classified information during the course 
of their duties. 

• IT Integration and Transformation. — We will conduct an audit to determine the 
extent to which the Secret Service’s IT Integration and Transformation (IITT) 
effort to modernize it outdated IT infrastructure supports its investigative and 
protective missions, goals, and objectives. Historically, the IITT has faced chal- 
lenges in planning, staffing, and governance. In 2009, the DHS chief informa- 
tion officer determined the effort lacked adequate planning, the development 
schedule was too aggressive, and the program scope exceeded the allocated 
budget. As a result of a prior OIG audit, in March 2011, we recommended that 
the Secret Service develop an IT staffing plan, formalize its Executive Steering 
Committee, and provide the Secret Service Chief Information Officer with the 
component-wide IT budget and investment review authority needed to ensure 
success of the IITT. Since our prior audit, the Secret Service has reduced the 
scope of the IITT and is working with the DHS Chief Financial Officer to ensure 
that planned capabilities can be delivered within expected funding levels. We 
expect to complete our audit and issue a final report in the summer of 2016. 

Mr. Chairmen, this concludes my prepared statement. I welcome any questions 
you or other Members of the subcommittees may have. 

Mr. Perry. Thank you, Mr. Roth. 

The Chair now recognizes Mr. Willemssen for an opening state- 
ment. 

STATEMENT OF JOEL C. WILLEMSSEN, MANAGING DIRECTOR, 
INFORMATION TECHNOLOGY ISSUES, U.S. GOVERNMENT AC- 
COUNTABILITY OFFICE 

Mr. Willemssen. Thank you Chairman Perry, Chairman 
Lankford, Ranking Member Watson Coleman, Ranking Member 
Heitkamp, Chairman Johnson of the full committee, Ranking Mem- 
ber Thompson of the full committee, Members of the subcommit- 
tees, thank you for inviting GAO to testify today. 



29 


As requested, I will briefly summarize our statement on informa- 
tion security across the Federal Government. GAO has had long- 
standing concerns about the state of information security in the 
Federal Government. We initially identified Federal information se- 
curity as a Government-wide high-risk area 18 years ago. 

We subsequently expanded this high-risk designation to include 
computerized systems supporting the Nation’s critical infrastruc- 
ture and the protection of privacy and personally identifiable infor- 
mation. The cyber threats facing our country continue to be very 
serious. 

The impact of these threats is highlighted by recent incidents in- 
volving breaches of sensitive, personally identifiable information 
and the sharp increase in information security incidents reported 
by Federal agencies over the last several years, which have risen 
from about 5,500 in 2006 to about 67,000 in 2014. 

Given the risks posed by external and internal threats in the in- 
creasing number of incidents, it is crucial that Federal agencies 
take appropriate steps to secure their systems and data. However, 
we and inspectors general have continued to identify significant 
weaknesses and needed security controls. 

For example for fiscal year 2014, 19 of 24 major Federal agencies 
declared information security as a material weakness or significant 
deficiency. Most of these agencies have reported weaknesses in the 
key control areas that we track, including controls intended to pre- 
vent, limit, or detect unauthorized or inappropriate access to net- 
works and data. In particular, our work has often shown that too 
many agency employees have too much unnecessary access to too 
many systems and databases. 

Agencies need to implement clear policies on access to sensitive 
information and grant access permissions to users at the minimum 
level necessary to perform legitimate job-related tasks on a need- 
to-know basis. Deploying effective monitoring and accountability 
mechanisms to track user activities on networks and systems is 
also essential to ensuring that improper access and usage are 
quickly detected and remedied. 

To address the many information security weaknesses at Federal 
agencies, GAO and inspectors general have made thousands of rec- 
ommendations. Over the last 6 years, GAO has made about 2,000 
recommendations to improve information security programs and 
controls. 

To date about 58 percent of these recommendations have been 
implemented. Until agencies take actions to address weakness and 
implement GAO and I.G. recommendations, Federal networks and 
sensitive information, including personally identifiable information, 
will be at increased risk from internal and external threats. 

Actions to implement recommendations will strengthen systems 
and data security and reduce the risk of cyber intrusions or at- 
tacks. That concludes the summary my statement and I look for- 
ward to addressing the questions. 

Thank you. 

[The prepared statement of Mr. Willemssen follows:] 
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Prepared Statement of Joel C. Willemssen 
November 17, 2015 

Chairman Lankford, Chairman Perry, Ranking Members Heitkamp and Watson 
Coleman, and Members of the subcommittees: Thank you for inviting me to testify 
at today’s hearing on on-going challenges at the U.S. Secret Service and their Gov- 
ernment-wide implications. As requested, my statement today will address cyber 
threats and security control weaknesses affecting Federal systems and information. 

As you know, the Federal Government faces an evolving array of cyber-based 
threats to its systems and data, as illustrated by recently-reported data breaches 
at Federal agencies, which have affected millions of current and former Federal em- 
ployees, and the increasing number of incidents reported by agencies. Such incidents 
underscore the urgent need for effective implementation of information security con- 
trols at Federal agencies. 

Since 1997, we have designated Federal information security as a Government- 
wide high-risk area, and in 2003 expanded this area to include computerized sys- 
tems supporting the Nation’s critical infrastructure. Most recently, in the February 
2015 update to our high-risk list, we further expanded this area to include pro- 
tecting the privacy of personally identifiable information (PII) 1 — that is, personal in- 
formation that is collected, maintained, and shared by both Federal and non-Federal 
entities. 2 

In preparing this statement, we relied on our previous work addressing cyber 
threats and Federal information security efforts. The prior reports cited throughout 
this statement contain detailed discussions of the scope of the work and the method- 
ology used to carry it out. All the work on which this statement is based was con- 
ducted in accordance with generally-accepted Government auditing standards. 
Those standards require that we plan and perform audits to obtain sufficient, appro- 
priate evidence to provide a reasonable basis for our findings and conclusions based 
on our audit objectives. We believe that the evidence obtained provides a reasonable 
basis for our findings and conclusions based on our audit objectives. A list of related 
GAO products is provided in attachment I. 

BACKGROUND 

As computer technology has advanced, the Federal Government has become in- 
creasingly dependent on computerized information systems to carry out operations 
and to process, maintain, and report essential information. Federal agencies rely on 
computer systems to transmit proprietary and other sensitive information, develop 
and maintain intellectual capital, conduct operations, process business transactions, 
transfer funds, and deliver services. 

Ineffective protection of these information systems and networks can impair deliv- 
ery of vital services, and result in: 

• loss or theft of computer resources, assets, and funds; 

• inappropriate access to and disclosure, modification, or destruction of sensitive 
information, such as personally identifiable information; 

• disruption of essential operations supporting critical infrastructure, National 
defense, or emergency services; 

• undermining of agency missions due to embarrassing incidents that erode the 
public’s confidence in Government; 

• use of computer resources for unauthorized purposes or to launch attacks on 
other systems; 

• damage to networks and equipment; and 

• high costs for remediation. 

Recognizing the importance of these issues, Congress enacted laws intended to im- 
prove the protection of Federal information and systems. These laws include the 
Federal Information Security Modernization Act of 2014 (FISMA), 3 which, among 
other things, authorizes the Department of Homeland Security (DHS) to: (1) Assist 
the Office of Management and Budget ( OMB ) with overseeing and monitoring agen- 
cies’ implementation of security requirements; (2) operate the Federal information 


1 Personally identifiable information is information about an individual, including information 
that can be used to distinguish or trace an individual’s identity, such as name. Social Security 
number, mother’s maiden name, or biometric records, and any other personal information that 
is linked or linkable to an individual. 

2 See GAO, High-Risk Series: An Update, GAO— 15— 290 (Washington, DC: Feb. 11, 2015). 

3 The Federal Information Security Modernization Act of 2014 (Pub. L. No. 113—283, Dec. 18, 
2014) (2014 FISMA) largely superseded the very similar Federal Information Security Manage- 
ment Act of 2002 (Title III, Pub. L. No. 107-347, Dec. 17, 2002) (2002 FISMA). 
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security incident center; and (3) provide agencies with operational and technical as- 
sistance, such as that for continuously diagnosing and mitigating cyber threats and 
vulnerabilities. The act also reiterated the 2002 FISMA requirement for the head 
of each agency to provide information security protections commensurate with the 
risk and magnitude of the harm resulting from unauthorized access, use, disclosure, 
disruption, modification, or destruction of the agency’s information or information 
systems. 

In addition, the act continues the requirement for Federal agencies to develop, 
document, and implement an agency-wide information security program. The pro- 
gram is to provide security for the information and information systems that sup- 
port the operations and assets of the agency, including those provided or managed 
by another agency, contractor, or other source. 

CYBER THREATS TO FEDERAL SYSTEMS CONTINUE TO EVOLVE AMID INCREASING 
NUMBERS OF INCIDENTS 

Risks to cyber-based assets can originate from unintentional or intentional 
threats. Unintentional threats can be caused by, among other things, natural disas- 
ters, defective computer or network equipment, software coding errors, and the ac- 
tions of careless or poorly-trained employees. Intentional threats include both tar- 
geted and untargeted attacks from a variety of sources, including criminal groups, 
hackers, disgruntled employees and other organizational insiders, foreign nations 
engaged in espionage and information warfare, and terrorists. 

These adversaries vary in terms of their capabilities, willingness to act, and mo- 
tives, which can include seeking monetary or personal gain or pursuing a political, 
economic, or military advantage. For example, organizational insiders can pose 
threats to an organization since their position within the organization often allows 
them to gain unrestricted access and cause damage to the targeted system, steal 
system data, or disclose sensitive information without authorization. The insider 
threat includes inappropriate actions by contractors hired by the organization, as 
well as careless or poorly-trained employees. 

As we reported in February 2015, 4 since fiscal year 2006, the number of informa- 
tion security incidents affecting systems supporting the Federal Government has 
steadily increased each year: Rising from 5,503 in fiscal year 2006 to 67,168 in fiscal 
year 2014, an increase of 1,121 percent. Furthermore, the number of reported secu- 
rity incidents involving PII at Federal agencies has more than doubled in recent 
years — from 10,481 incidents in fiscal year 2009 to 27,624 incidents in fiscal year 
2014. (See fig 1.) 


4 GAO, High-Risk Series: An Update , GAO— 15-290 (Washington, DC: February 2015). 
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Figure 1: Incidents Involving Personally Identifiable Information Reported to the 
U.S. Computer Emergency Readiness Team by Federal Agencies for Fiscal Years 
2009 through 2014 

Number of reported incidents 



Fiscal year 

Source: GAO analysis of United States Computer Emergency Readiness Team data for fiscal years 2009-2014. | GAO-16-194T 

These incidents and others like them can adversely affect National security; dam- 
age public health and safety; and lead to inappropriate access to and disclosure, 
modification, or destruction of sensitive information. Recent examples highlight the 
impact of such incidents: 

• In June 2015, the Office of Personnel Management reported that an intrusion 
into its systems affected the personnel records of about 4.2 million current and 
former Federal employees. The Director stated that a separate but related inci- 
dent involved the agency’s background investigation systems and compromised 
background investigation files for 21.5 million individuals. 

• In June 2015, the Commissioner of the Internal Revenue Service testified that 
unauthorized third parties had gained access to taxpayer information from its 
“Get Transcript” application. According to officials, criminals used taxpayer-spe- 
cific data acquired from non-Department sources to gain unauthorized access to 
information on approximately 100,000 tax accounts. This data included Social 
Security information, dates of birth, and street addresses. In an August 2015 
update, the agency reported this number to be about 114,000 and that an addi- 
tional 220,000 accounts had been inappropriately accessed, which brings the 
total to about 330,000 accounts. 

• In April 2015, the Department of Veterans Affairs’ Office of Inspector General 
reported that two contractors had improperly accessed the agency’s network 
from foreign countries using personally-owned equipment. 5 

• In February 2015, the director of national intelligence stated that unauthorized 
computer intrusions were detected in 2014 on the networks of the Office of Per- 
sonnel Management and two of its contractors. The two contractors were in- 
volved in processing sensitive PII related to National security clearances for 
Federal employees. 6 


5 Department of Veterans Affairs, Office of Inspector General, Administrative Investigation Im- 
proper Access to the VA Network by VA Contractors from Foreign Countries Office of Information 
and Technology Austin, TX, Report No. 13-01730—159 (Washington, DC: April 2015). 

6 James R. Clapper, Director of National Intelligence, World-wide Threat Assessment of the 
U.S. Intelligence Community, testimony before the Senate Committee on Armed Services, Feb- 
ruary 26, 2015. 
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• In September 2014, a cyber intrusion into the United States Postal Service’s in- 
formation systems may have compromised PII for more than 800,000 of its em- 
ployees. 7 

• In October 2013, a wide-scale cybersecurity breach involving a U.S. Food and 
Drug Administration system occurred that exposed the PII of 14,000 user ac- 
counts. 8 

INFORMATION SECURITY WEAKNESSES PLACE FEDERAL SYSTEMS AND SENSITIVE DATA 

AT RISK 

Given the risks posed by cyber threats and the increasing number of incidents, 
it is crucial that Federal agencies take appropriate steps to secure their systems and 
information. We and agency inspectors general have identified numerous weak- 
nesses in protecting Federal information and systems. Agencies continue to have 
shortcomings in assessing risks, developing and implementing security controls, and 
monitoring results. Specifically, for fiscal year 2014, 19 of the 24 Federal agencies 
covered by the Chief Financial Officers Act 9 reported that information security con- 
trol deficiencies were either a material weakness or a significant deficiency in inter- 
nal controls over their financial reporting. 10 Moreover, inspectors general at 23 of 
the 24 agencies cited information security as a major management challenge for 
their agency. 

As we reported in September 2015, for fiscal year 2014, most of the 24 agencies 
had weaknesses in the 5 major categories of information system controls. 11 These 
control categories are: (1) Access controls, which limit or detect access to computer 
resources (data, programs, equipment, and facilities), thereby protecting them 
against unauthorized modification, loss, and disclosure; (2) configuration manage- 
ment controls, intended to prevent unauthorized changes to information system re- 
sources (for example, software programs and hardware configurations) and assure 
that software is current and known vulnerabilities are patched; (3) segregation of 
duties, which prevents a single individual from controlling all critical stages of a 
process by splitting responsibilities between 2 or more organizational groups; (4) 
contingency planning, 12 which helps avoid significant disruptions in computer-de- 
pendent operations; and (5) agency- wide security management, which provides a 
framework for ensuring that risks are understood and that effective controls are se- 
lected, implemented, and operating as intended. (See fig. 2.) 


7 Randy S. Miskanic, Secure Digital Solutions Vice President of the United States Postal Serv- 
ice, Examining Data Security at the United States Postal Service, testimony before the Sub- 
committee on Federal Workforce, U.S. Postal Service and the Census, 113th Congress, Novem- 
ber 19, 2014. 

8 Department of Health and Human Services, Office of Inspector General, Penetration Test of 
the Food and Drug Administration’s Computer Network, Report No. A-18— 13-30331 (Wash- 
ington, DC: October 2014). 

9 The 24 agencies are the Departments of Agriculture, Commerce, Defense, Education, Energy, 
Health and Human Services, Homeland Security, Housing and Urban Development, the Inte- 
rior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environ- 
mental Protection Agency; General Services Administration; National Aeronautics and Space 
Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Per- 
sonnel Management; Small Business Administration; Social Security Administration; and the 
U.S. Agency for International Development. 

10 A material weakness is a deficiency, or combination of deficiencies, that results in more 
than a remote likelihood that a material misstatement of the financial statements will not be 
prevented or detected. A significant deficiency is a control deficiency, or combination of control 
deficiencies, in internal control that is less severe than a material weakness, yet important 
enough to merit attention by those charged with governance. A control deficiency exists when 
the design or operation of a control does not allow management or employees, in the normal 
course of performing their assigned functions, to prevent or detect and correct misstatements 
on a timely basis. 

11 GAO, Federal Information Security: Agencies Need to Correct Weaknesses and Fully Imple- 
ment Security Programs, GAO-15—714 (Washington, DC: Sept. 29, 2015). 

12 Contingency planning for information systems is part of an overall organizational program 
for achieving continuity of operations for mission/business operations. 
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Figure 2: Information Security Weaknesses at 24 Federal Agencies for Fiscal Year 
2014 


Number of agencies 

24 22 22 



Access Configuration Segregation Continuity Security 
control management of duties of operations management 

Source: GAO analysis of agency, inspector general, and GAO reports as of May 2015. | GAO-16-194T 


• Access controls . — For fiscal year 2014, we, agencies, and inspectors general re- 
ported weaknesses in the electronic and physical controls to limit, prevent, or 
detect inappropriate access to computer resources (data, equipment, and facili- 
ties), thereby increasing their risk of unauthorized use, modification, disclosure, 
and loss. Access controls involve the 6 critical elements described in table 1. 

TABLE 1.— CRITICAL ELEMENTS FOR ACCESS CONTROL TO COMPUTER 

RESOURCES 


Element 


Description 


Boundary Protection Boundary protection controls logical connectivity into 

and out of networks and controls connectivity to 
and from devices that are connected to a network. 
For example, multiple firewalls can be deployed to 
prevent both outsiders and trusted insiders from 
gaining unauthorized access to systems, and intru- 
sion detection and prevention technologies can be 
deployed to defend against attacks from the inter- 
net. 

User Identification and Au- A computer system must be able to identify and au- 
thentication. thenticate different users so that activities on the 

system can be linked to specific individuals. When 
an organization assigns a unique user account to 
specific users, the system is able to distinguish one 
user from another — a process called identification. 
The system also must establish the validity of a 
user’s claimed identity by requesting some kind of 
information, such as a password, that is known 
only by the user — a process known as authentica- 
tion. Multifactor authentication involves using two 
or more factors to achieve authentication. Factors 
include something you know (password or personal 
identification number), something you have (cryp- 
tographic identification device or token), or some- 
thing you are (biometric). The combination of iden- 
tification and authentication provides the basis for 
establishing accountability and for controlling ac- 
cess to the system. 
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TABLE 1.— CRITICAL ELEMENTS FOR ACCESS CONTROL TO COMPUTER 
RESOURCES— Continued 


Element 


Description 


Authorization Authorization is the process of granting or denying 

access rights and permissions to a protected re- 
source, such as a network, a system, an application, 
a function, or a file. For example, operating systems 
have some built-in authorization features such as 
permissions for files and folders. Network devices, 
such as routers, may have access control lists that 
can be used to authorize users who can access and 
perform certain actions on the device. Authorization 
controls help implement the principle of “least 
privilege,” which the National Institute of Stand- 
ards and Technology describes as allowing only au- 
thorized accesses for users (or processes acting on 
behalf of users) which are necessary to accomplish 
assigned tasks in accordance with organizational 
missions and business functions. 

Cryptography Cryptography underlies many of the mechanisms 

used to enforce the confidentiality and integrity of 
critical and sensitive information. Examples of 
cryptographic services are encryption, authentica- 
tion, digital signature, and key management. Cryp- 
tographic tools help control access to information by 
making it unintelligible to unauthorized users and 
by protecting the integrity of transmitted or stored 
information. 

Auditing and Monitoring .... To establish individual accountability, monitor com- 
pliance with security policies, and investigate secu- 
rity violations, it is necessary to determine what, 
when, and by whom specific actions have been 
taken on a system. Agencies do so by implementing 
software that provides an audit trail, or logs of sys- 
tem activity, that they can use to determine the 
source of a transaction or attempted transaction 
and to monitor users’ activities. 

Physical Security Physical security controls help protect computer facili- 

ties and resources from espionage, sabotage, dam- 
age, and theft. Examples of physical security con- 
trols include perimeter fencing, surveillance cam- 
eras, security guards, locks, and procedures for 
granting or denying individuals physical access to 
computing resources. Physical controls also include 
environmental controls such as smoke detectors, 
fire alarms, extinguishers, and uninterruptible 
power supplies. Considerations for perimeter secu- 
rity include controlling vehicular and pedestrian 
traffic. In addition, visitors’ access to sensitive 
areas is to be managed appropriately. 


Source: GAO. GAO-16-194T 

For fiscal year 2014, 12 agencies had weaknesses reported in protecting their net- 
works and system boundaries. For example, the access control lists on one agency’s 
firewall did not prevent traffic coming or initiated from the public internet protocol 
addresses of a contractor site and a U.S. telecom corporation from entering its net- 
work. Additionally, 20 agencies, including DHS, had weaknesses reported in their 
ability to appropriately identify and authenticate system users. To illustrate, agen- 
cies had weak password controls, such as using system passwords that had not been 
changed from the easily guessable default passwords or did not expire. 

Eighteen agencies, including DHS, had weaknesses reported in authorization con- 
trols for fiscal year 2014. For example, one agency had not consistently or in a time- 
ly manner removed, transferred, and/or terminated employee and contractor access 
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privileges from multiple systems. Another agency also had granted access privileges 
unnecessarily, which sometimes allowed users of an internal network to read and 
write files containing sensitive system information. In fiscal year 2014, 4 agencies 
had weaknesses reported in the use of encryption for protecting data. 

In addition, DHS and 18 other agencies had weaknesses reported in implementing 
an effective audit and monitoring capability. For instance, one agency did not suffi- 
ciently log security-relevant events on the servers and network devices of a key sys- 
tem. Moreover, 10 agencies, including DHS, had weaknesses reported in their ability 
to restrict physical access or harm to computer resources and protect them from un- 
authorized loss or impairment. For example, a contractor of an agency was granted 
physical access to a server room without the required approval of the office director. 

• Configuration management. — For fiscal year 2014, 22 agencies, including DHS, 
had weaknesses reported in controls that are intended to ensure that only au- 
thorized and fully-tested software is placed in operation, software and hardware 
is updated, information systems are monitored, patches are applied to these sys- 
tems to protect against known vulnerabilities, and emergency changes are docu- 
mented and approved. For example, 17 agencies, including DHS, had weak- 
nesses reported with installing software patches and implementing current 
versions of software in a timely manner. 

• Segregation of duties. — Fifteen agencies, including DHS, had weaknesses in con- 
trols for segregation of duties. These controls are the policies, procedures, and 
organizational structure that help to ensure that one individual cannot inde- 
pendently control all key aspects of a computer-related operation and thereby 
take unauthorized actions or gain unauthorized access to assets or records. For 
example, a developer from one agency had been authorized inappropriate access 
to the production environment of the agency’s system. 

• Continuity of operations. — DHS and 17 other agencies had weaknesses reported 
in controls for their continuity of operations practices for fiscal year 2014. Spe- 
cifically, 16 agencies did not have a comprehensive contingency plan. For exam- 
ple, one agency’s contingency plans had not been updated to reflect changes in 
the system boundaries, roles, and responsibilities, and lessons learned from 
testing contingency plans at alternate processing and storage sites. Addition- 
ally, 15 agencies had not regularly tested their contingency plans. 

• Security management. — For fiscal year 2014, DHS and 22 other agencies had 
weaknesses reported in security management, which is an underlying cause for 
information security weaknesses identified at Federal agencies. An agency-wide 
security program, as required by FISMA, provides a framework for assessing 
and managing risk, including developing and implementing security policies 
and procedures, conducting security awareness training, monitoring the ade- 
quacy of the entity’s computer-related controls through security tests and eval- 
uations, and implementing remedial actions as appropriate. 

We have also identified inconsistencies with the Government’s approach to cyber- 
security, including the following: 

Overseeing the security controls of contractors providing IT services. — In August 
2014, we reported that 5 of 6 agencies we reviewed were inconsistent in overseeing 
assessments of contractors’ implementation of security controls. 13 This was partly 
because agencies had not documented IT security procedures for effectively over- 
seeing contractor performance. In addition, according to OMB, 16 of 24 agency in- 
spectors general determined that their agency’s program for managing contractor 
systems lacked at least one required element. 

Responding to cyber incidents. — In April 2014, we reported that the 24 agencies 
did not consistently demonstrate that they had effectively responded to cyber inci- 
dents. 14 Specifically, we estimated that agencies had not completely documented ac- 
tions taken in response to detected incidents reported in fiscal year 2012 in about 
65 percent of cases. 15 In addition, the 6 agencies we reviewed had not fully devel- 
oped comprehensive policies, plans, and procedures to guide their incident response 
activities. 

Responding to breaches of PII. — In December 2013, we reported that 8 Federal 
agencies had inconsistently implemented policies and procedures for responding to 


13 GAO, Information Security: Agencies Need to Improve Oversight of Contractor Controls, 
GAO-14-612 (Washington, DCi Aug. 8, 2014). 

14 GAO, Information Security: Agencies Need to Improve Cyber Incident Response Practices, 
GAO-14-354 (Washington, DC: Apr. 30, 2014). 

15 This estimate was based on a statistical sample of cyber incidents reported in fiscal year 
2012, with 95 percent confidence that the estimate falls between 58 and 72 percent. 
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data breaches involving PII. 16 In addition, OMB requirements for reporting Pll-re- 
lated data breaches were not always feasible or necessary. Thus, we concluded that 
agencies may not be consistently taking actions to limit the risk to individuals from 
Pll-related data breaches and may be expending resources to meet OMB reporting 
requirements that provide little value. 

Over the last several years, we and agency inspectors general have made thou- 
sands of recommendations to agencies aimed at improving their implementation of 
information security controls. For example, we have made about 2,000 recommenda- 
tions over the last 6 years. These recommendations identify actions for agencies to 
take in protecting their information and systems. To illustrate, we and inspectors 
general have made recommendations for agencies to correct weaknesses in controls 
intended to prevent, limit, and detect unauthorized access to computer resources, 
such as controls for protecting system boundaries, identifying and authenticating 
users, authorizing users to access systems, encrypting sensitive data, and auditing 
and monitoring activity on their systems. We have also made recommendations for 
agencies to implement their information security programs and protect the privacy 
of PII held on their systems. 

However, many agencies continue to have weaknesses in implementing these con- 
trols in part because many of these recommendations remain unimplemented. For 
example, about 42 percent of the recommendations we have made during the last 
6 years remain unimplemented. Until Federal agencies take actions to implement 
the recommendations made by us and the inspectors general — Federal systems and 
information, as well as sensitive personal information about the public, will be at 
an increased risk of compromise from cyber-based attacks and other threats. 

In conclusion, the dangers posed by a wide array of cyber threats facing the Na- 
tion are heightened by weaknesses in the Federal Government’s approach to pro- 
tecting its systems and information. While recent Government-wide initiatives, in- 
cluding the 30-day Cybersecurity Sprint, 17 hold promise for bolstering the Federal 
cybersecurity posture, it is important to note that no single technology or set of 
practices is sufficient to protect against all these threats. A “defense in depth” strat- 
egy that includes well-trained personnel, effective and consistently applied proc- 
esses, and appropriately implemented technologies is required. While agencies have 
elements of such a strategy in place, more needs to be done to fully implement it 
and to address existing weaknesses. In particular, implementing our and agency in- 
spectors general recommendations will strengthen agencies’ ability to protect their 
systems and information, reducing the risk of a potentially devastating cyber attack. 

Chairman Lankford, Chairman Perry, Ranking Members Heitkamp and Watson 
Coleman, and Members of the subcommittees, this concludes my statement. I would 
be happy to answer your questions. 

Mr. Perry. Thank you Mr. Willemssen. Chair now recognizes 
himself for some questions beginning with Mr. Roth. 

Mr. Roth, how many subpoenas regarding the Chaffetz incident 
and the MCI, the Master Central Index, how many subpoenas were 
issued? 

Mr. Roth. I believe it was only one subpoena. 

Mr. Perry. So why if there were multiple individuals that admit- 
tedly breached the information and may have compromised it why 
would only one subpoena be issued? Why wouldn’t there be mul- 
tiple subpoenas issued for multiple individuals? 

Mr. Roth. Well, most of the information that we received were 
from Government data systems so no subpoena would be necessary. 
The only time we have to subpoena information is if we were going 
to a third party, like a telephone record provider for example. 

Typically it is our policy in these kinds of circumstances to have 
a level of predication before we go and subpoena somebody’s per- 
sonal telephone records. We had predication only on one individual 


16 GAO, Information Security: Agency Responses to Breaches of Personally Identifiable Infor- 
mation Need to Be More Consistent, GAO-14-34 (Washington, DC: Dec. 9, 2013). 

17 In June 2015, the Federal Chief Information Officer launched the 30-day Cybersecurity 
Sprint, during which agencies were to take immediate actions to combat cyber threats within 
30 days. Actions included patching critical vulnerabilities, tightening policies and practices for 
privileged users, and accelerating the implementation of multifactor authentication. 
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rather than the hundreds who may have had access to that infor- 
mation. 

Mr. Perry. Even those who admitted to wrongdoing? 

Mr. Roth. That is correct. 

Mr. Perry. Was the Index searched for other improper access 
incidences? 

Mr. Roth. It was not. The Index itself was created in 1984. It 
did not have the ability to readily do the kinds of forensics that you 
would do on a modern data system. In fact, what we were required 
to do, that is what the administrators of the database were re- 
quired to do, were actually write scripts or programs to be able to 
find access to this information. 

It was a highly time-consuming kind of a thing and because 
the — sort of the necessity for finding answers as quickly as we 
could, we only restricted it to Chairman Chaffetz’s name. 

Mr. Perry. So then, based on that, would it be correct to say that 
we have absolutely no idea at this point regarding that data sys- 
tem, the Master Central Index, if any other Americans or any other 
citizens have had similar things occur regarding their personally 
identifiable information, whether it was searched, whether it was 
divulged. We have no idea? 

Mr. Roth. That is correct. 

Mr. Perry. That is a bit unsettling. Director Clancy, are you fa- 
miliar with Operation Moonlight? 

Mr. Clancy. Sir, I am familiar with some of the details of that, 
yes. 

Mr. Perry. Can you just inform us? I understand you have got 
thousand of employees. This hearing is not meant to impugn or be- 
smirch the credibility of your agency. I think Americans have tradi- 
tionally and currently, have the highest regard and want to have 
that. But how does that — something like that happen? Can you? 

Mr. Clancy. Yes sir. 

Mr. Perry. So Secret Service agents used Government informa- 
tion, accessed databases and then used equipment, time, material 
to surveil essentially, a private citizen’s property without any due 
cause of anything. Is that essentially — I mean, that is my narrative 
but what is yours? Then how does that happen? 

Mr. Clancy. Sir forgive me as I was not here during that time 
frame so I am going to rely on some briefings when I first came 
in as the acting director and it was found as the OIG’s report illus- 
trates, people made very poor decisions. There was misjudgment. 
It should not have happened and there were some changes made 
in our management. 

Mr. Perry. Well, I will tell you. I looked at — and I imagine you 
are familiar with it. I am just going to read you the subject, is “Di- 
rective 2015-09, Disciplinary and Adverse Actions”. Right? 

Mr. Clancy. Yes sir. 

Mr. Perry. It is from your agency and I guess it is moving for- 
ward based on what has occurred regarding the information in the 
data breach. I just wanted to give you a flavor of what I see here: 
“An employee is entitled to,” “the employee is entitled to,” “the em- 
ployee is entitled to” — I am just kind of going through each para- 
graph — 
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“The employee will be provided with;” “the employee shall have 
an opportunity to;” “the employee is entitled to”. You kind-of get 
my gist, and the reason I say that is — what I am wondering is and 
I think what a lot of Americans wondering is what are the con- 
sequences of the actions of 45 or 41 employees who accessed Mr. 
Chaffetz’s data and then whoever disseminated it up to 60 times? 

What are the consequences to those individuals? We see what the 
employee’s rights are. 

Mr. Clancy. Yes. 

Mr. Perry. Right? 

Mr. Clancy. Yes sir. 

Mr. Perry. But what are the consequences? How does Mr. 
Chaffetz get his reputation back? What is going to happen to these 
individuals? What is currently happening? Where do things stand? 

Mr. Clancy. Mr. Chairman, Secretary Johnson and I met and 
talked about this in a true sense of transparency because myself 
and my executive staff have been all interviewed in this case. We 
made a joint decision that the Department of Homeland Security 
would make the proposals. In this case I will tell you — and I have 
heard the comments that were made today, of reprehensible, dis- 
turbing, embarrassing. 

I agree with everything that has been said here today and my 
workforce does as well. In fact, this hearing today will help me get 
this word out, the importance of protecting PII. We have all this, 
the training and we have the ethics guides and we go out and train 
are new recruits but a hearing like this puts a definitive stamp on 
our failures. 

In this case, the individuals to answer your questions, Mr. Chair- 
man, in this case, we are proposing, as of today, approximately 
42 — I don’t — don’t hold me to that number, approximately 42 will 
be issued a proposal of discipline ranging from anywhere from 3 
days to 12 days of a suspension. 

Mr. Perry. So that is the maximum? The maximum is 12 days 
of — I am going to — the Chair is going to indulge himself on the 
time here a little bit. I am following a lot of questioning. So the 
maximum penalty, the maximum of repercussion for doing — we all 
know that when you look at these computer systems there is a 
warning in front that this is to be used for official business only 
and we all know. 

Look, I hold as your folks do, a Secret security clearance, Top Se- 
cret security clearance. Everybody in the rooms knows, everybody 
in your agency knows that using this information for what it was 
used for was incorrect, improper, unauthorized, illegal. 

The most we can hope for, the most disciplinary — toughest, dis- 
ciplinary action right now is not a loss or revocation of your Secret 
security clearance, not the loss of your employment, it is 12 days 
suspension? I just want to be clear? Is that correct? 

Mr. Clancy. Mr. Chairman, that is for the Grades 15 and below. 
Those proposals have been issued as of today I am pretty sure on 
that. The SES-level folks have not had their discipline proposed as 
of this date. 

Mr. Perry. Is Mr. Lowery an SES-level employee? 

Mr. Clancy. He is, yes. 
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Mr. Perry. What is the range of options of discipline or con- 
sequence for Mr. Lowery, if you can inform — I am not asking you 
to tell us which one it is because maybe you are still completing 
your investigation, but what can we expect? 

Mr. Clancy. The range goes from a letter of reprimand all the 
way up to removal. 

Mr. Perry. Thank you. The Chair now recognizes the gentleman 
from Oklahoma. 

Senator Lankford. Would like to defer my questioning time to 
the Ranking Member. She has to be on the floor actually, of the 
Senate in a little bit. Actually working through a bill, so I would 
like to defer my time. 

Mr. Perry. So ordered. 

Senator Heitkamp. Thank you, Chairman Lankford. 

Every one of the — Mr. Clancy — Director Clancy, every incident 
that we know of, there seems like there wasn’t an adult in the 
room. That there was no one who provided that voice of saying, 
“Hey, guys, this is not the way to do this. Hey, we have a responsi- 
bility that is higher.” 

So while we look at management and we look at resources, you 
said in your testimony, you talked about how the corporate culture 
of the Secret Service is a priceless commodity. 

Every day that priceless commodity gets threatened by agents 
not willing to be the adult in the room, not willing to be the person 
who stands up and says, knock it off. Because you can’t do it just 
from a management standpoint. You have got to change the culture 
at the bottom and I think that is one of the concerns we have. 

Is that it seems like all of this has happened with a great impu- 
nity and almost — you know, you can’t touch me, you know, as the 
Chairman just talked about, or it is okay to do this. So, I want to 
know as we look at management changes, as we look at systemic 
rules and policies, those rules and policies are only as good as the 
commitment that people at every level within the Secret Service 
have for change. 

So what are you doing within the Secret Service to build capacity 
for people to be the adult in the room, to stop this at the source 
and say this is not what we do in the Secret Service? 

Mr. Clancy. Thank you, Senator. This discipline system that we 
have in place now is relatively new. It is approximately 2 years old 
and then with — which includes a table of penalties. In the past, 
discipline was handled at a more local level. Now everything is tun- 
neled up to our Office of Integrity. 

Senator Heitkamp. I don’t mean to interrupt but I am not talk- 
ing about discipline. I am talking about culture and obviously con- 
sequences are part of changing that culture. But what about the 
integrity at every level? Of basically saying we don’t do this. We 
don’t go to hotels and hire, you know, people to service us. 

We don’t, you know, drive into the White House and disrupt a 
major investigation. We don’t access a Congressman’s secret 
records. We don’t do that. Who is the person? How are we training 
people at every level to stand up and stop this behavior? Because 
I don’t think we can do it just having hearings like this. 

I think we have got to restore this priceless commodity that you 
are talking about, which is the integrity element of the men and 
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women at every level, knowing that it is their responsibility to help 
maintain the integrity of the Secret Service. 

Mr. Clancy. I agree with you, Senator. We have to do more in 
terms of communicating with our people. We can have all the train- 
ing exercises and all the on-line training, but for example, I have 
been to approximately 10 of our field offices, all of our protective 
details. I speak personally to our agents. I walk around the White 
House, talk to the officers. 

I meet all the recruits prior to their graduation, both agent and 
UD. I tell them what they represent and what is expected of them. 
But I have got to do more of that as well as our staff. We have to 
just keep communicating, keep communicating to our people. 

Again, what the Congress is doing today is a help to us and to 
our agency because again, the seriousness of what we have done 
in this particular case, resonates by these types of hearings. 

Senator Heitkamp. Thank you, Mr. Chairman. Yield back. 

Mr. Perry. The Chair thanks the gentlelady. 

The Chair recognizes Mrs. Watson Coleman from New Jersey. 

Mrs. Watson Coleman. Thank you, Mr. Chairman. 

Mr. Director, I want to talk about the Protective Mission Panel’s 
recommendations. One of the things I think was noted in the panel 
was that we needed new leadership. We needed leadership from 
outside of this organization that didn’t have the long-term relation- 
ships that might be somehow influenced by the relationships they 
did have and seeing it in a sort of insular way. 

You have a 27-year record or experience with the agency. Clear- 
ly, you are an insider. There was a removal of a number of depu- 
ties and they were replaced. The majority of the deputies that were 
replaced were also from within the agency with long service 
records. 

My question is: How do we change the culture of the organization 
if the very top leadership has been a part of that culture and per- 
haps only sees this organization from within? 

Would we have not been better served had you identified the ca- 
pacity to go to the outside and find people with certain skills, lead- 
ership abilities, accountabilities that would have transcended the 
relationships that individuals may have had? 

Could that possibly have helped us to become more efficient, 
more effective, and more accountable as an agency? 

Mr. Clancy. Thank you for that question. I will tell you that I 
respect if you, if many, that thought that this position, the direc- 
tor’s position, should have been someone from the outside. There 
is good reason for that. I understand that. 

I consider the fact that I left the Service for 3 years, worked in 
private industry, has allowed me to bring in some outside views on 
how to run a business and how to run this agency. So what I did 
do is, first of all, I brought in a chief operating officer, a civilian 
from outside the agency. 

That COO, chief operating officer, is equivalent to the deputy di- 
rector. Additionally, we have created a lot of subject-matter expert 
positions where traditionally, they answer to agents — you know, 
prior to me arriving here, all of the top-level security was run by 
agents. Some of them, candidly, were not subject-matter experts. 
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For example, finance. We now have a chief financial officer who 
does not answer directly to an assistant director who is an agent, 
she is the chief financial officer. Chief technology officer is an engi- 
neer, not an agent. The chief strategy officer is a lawyer who is not 
an agent. There are a few others as well. 

So we have brought in, we are trying to bring in this outside per- 
spective to run this business but also move the agents into our core 
mission of protection and investigations. 

Mrs. Watson Coleman. So talk to me a little bit about your abil- 
ity to bring in not only new people into the agency, but more di- 
verse people. Because the information that I have read regarding 
the Secret Service is that it is predominantly white male. 

There is a small percentage of women and not very — not con- 
sistent with across the board in Federal Government. What are you 
doing to address the issue of lack of diversity in terms of race and 
ethnicity and gender in positions? What are you doing to address 
the long-standing and outstanding issue with the civil rights com- 
plaints? 

Mr. Clancy. Yes. 

Mrs. Watson Coleman. Moving beyond them as opposed to 
using the system to delay the implementation of the corrective ac- 
tions that could be taking place. Thank you. 

Mr. Clancy. In terms of diversity, I think I would ask you first 
to look at my executive staff. On that staff of approximately 12 peo- 
ple, we have 5 African-Americans, 6 females. But going down 
throughout the ranks, you are correct. We are not where we want 
to be with diversity. 

So we are targeting universities that provide diversity for us. We 
have shortened our hiring process where we can go to these univer- 
sities and over a weekend period of time, do a testing, an interview 
and a polygraph if the first two steps are met. 

But we are targeting specific areas of the country to really work 
on this diversity because we are deficient in that area, certainly 
with females as well. We are working diligently to try to improve 
that diversity. 

Mrs. Watson Coleman. Thank you. I yield back for another. 

Mr. Perry. Chair thanks the gentlelady. The Chair now recog- 
nizes Mr. Johnson from Wisconsin. 

Senator Johnson. Thank you, Mr. Chairman. Inspector General 
Roth, in your written testimony, you state that, “Information was 
accessed by Secret Service employees on approximately 60 occa- 
sions between March 25 and April 2nd of this year.” Then you went 
on to say, “We concluded that a vast majority of those who accessed 
this information did so in violation of the Privacy Act of 1974.” 

What are the penalties for violating the Privacy Act of 1974? 

Mr. Roth. There are civil penalties for the agency that is in- 
volved if there is a wide-spread sort of gross negligence standard. 
So there are civil penalties, that is monetary penalties, for the 
agency involved. For individuals who accessed the system — improp- 
erly, knowing that it was protected under the Privacy Act that is 
a misdemeanor, which has a fine as a penalty but no custodial sen- 
tence. 
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Senator Johnson. Is there any Department of Justice investiga- 
tion being undertaken right now to determine whether those mis- 
demeanors were in fact going to — are they going to be prosecuted? 

Mr. Roth. No. During the course of our investigation we pre- 
sented a case, the most compelling case we had and it was declined 
by the U.S. attorney’s office. 

Senator Johnson. Why would that be? 

Mr. Roth. There are several reasons. First of all, each individual 
agent has a Fifth Amendment right to not speak to us if in fact 
he is under criminal jeopardy. So we could not interview individ- 
uals, compel their interview, which we ultimately had to do in this 
case for a lack of voluntary cooperation. 

So the level of evidence that the Department of Justice had was 
not sufficient for them to move forward. Additionally, when one 
looks at the penalty, it was simply a matter of competing resources. 

Senator Johnson. Director Clancy, you know, I got involved in 
looking into the cultural problems with the Secret Service back in 
early 2012 after the events at Cartagena. This is not why I ran for 
the United States Senate, was to look into the Secret Service. It is 
an agency that we all want to have a high deal of credibility and 
note, as you stated in your testimony, the culture — in many re- 
spects is almost, you know, beyond reproach. 

I mean, it is a fabulous agency, they are doing great work. But 
on the other hand, there is a real cultural problem. What are you 
going to do about it? I mean, I hear communication. I understand 
communication but actions speak far louder than words. When we 
are just talking a disciplinary process when there are violations of 
the Privacy Act and there are no prosecutions of it. 

There is nobody held to — even the misdemeanor penalties. There 
is nothing more corrosive in an organization that has a cultural 
problem when misdeeds go unpunished. So what actions are going 
to be taken? This is 3 years now. 

You know, Cartagena occurred in April 2012. We had 2013 and 
2014 and 2015. Three years later, we have a number of members 
of the Secret Service, violating the Privacy Act, violating DHS and 
Secret Service procedures. It doesn’t seem like we are getting a 
handle on the cultural problem within the Secret Service. 

Mr. Roth. Senator, Mr. Chairman, thank you for that question. 

We have removed people from the Secret Service. You mentioned 
Cartagena, several were removed in that case. As of today we are 
in the process of proposing a removal for an individual, unrelated 
to this. People are removed in the Secret Service. 

This Table of Penalties — I know we have referred to it a few 
times here, but we have used — we have benchmarked that with 
other agencies, so we are — want to be consistent with what is being 
done across the board. 

Just recently, I published for the first time to our entire work- 
force our integrity, the discipline over the past year, so they can 
see what types of cases are out there, are supervisors being dis- 
ciplined equal to the work force. We are trying to be transparent, 
again, that communication is critical here, but we are trying to be 
more transparent, and driving home the point that people will be 
held accountable. 

In this case, they will be held accountable. 
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Senator Johnson. As the Chairman was pointing out, there are 
an awful lot of protections for the employees, for the actual agents, 
but again, it is hard to see the accountability. 

Do you find that to be a problem? Are you constrained in what 
actions you would like to take, based on all the protections for the 
agents? I mean, should we have — should we be looking at the law 
there, and making sure the agencies have enough power to actually 
hold people accountable? 

Mr. Roth. Well, I think the excepted service would give us, 
would allow us to speed up that — the proposals in the discipline 
process. I know sometimes we are delayed in the process as we 
move forward. 

Senator Johnson. So, you would like some ability to take strong- 
er action quicker? 

Mr. Roth. Yes, yes, Mr. Chairman. 

Senator Johnson. Good. I think we need to take that into ac- 
count. 

Thank you, Mr. Chairman. 

Mr. Perry. The Chair thanks the gentlemen. The Chair now rec- 
ognizes the gentleman from Mississippi, Mr. Thompson. 

Mr. Thompson. Thank you very much, Mr. Chairman. 

Almost to the Member before me, the conversation has been 
about the culture of the organization, and I think it speaks to 
whether or not internally, we can fix it, or do we just cover it up? 

I will get to specifics shortly. 

Inspector Roth, in your review of the Secret Service, how would 
you describe the culture within the Service, especially at the Exec- 
utive level? 

Mr. Roth. As we noted in the report on the access to Chairman 
Chaffetz’s employment record, we found a number of supervisors 
who, in fact, themselves had access to MCI. To me, that was a very 
troubling incident; additionally a few people then elevated their 
concerns, or the fact that this was being used to a high enough 
level of management for something to be done. 

So that was sort of certainly troubling behavior that we identi- 
fied. 

Mr. Thompson. So, let me — so, we had senior-level people access- 
ing information, then we had that information being noted by peo- 
ple above those individuals. It is your testimony that nothing hap- 
pened? 

Mr. Roth. That is correct. I will give two examples, if I may. 

The first was the special agent in charge of the Washington field 
office, came to understand that some of her employees were access- 
ing the MCI to sort-of understand whether or not that rumor ex- 
isted. 

She ordered her individuals — her subordinates to cut it out. I 
think her exact words were knock it off, or quit fooling around with 
the MCI database. In fact, that is what occurred in the Washington 
field office. 

Unfortunately, throughout the country, other individuals were 
doing that, so that would be one example. The second example is 
the special agent in charge of the Indianapolis field division, who 
was, frankly, curious why it was that, in his view, Chairman 
Chaffetz was so hard on Director Clancy. 
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He, just out of idle curiosity, accessed the database himself to 
discover, in fact, that Chairman Chaffetz was a prior applicant. 

He did nothing with that information, did not elevate it up, or 
do any other kind of conduct. There are number of examples like 
that. 

Mr. Thompson. Thank you very much. 

So, Director Clancy, I hope you sense the membership’s concern 
about the culture, and I would hope that going forward, you would 
take this hearing, as you said, as a moment of instruction to try 
to fix it. 

The men and women deserve it; they do a wonderful job. But it 
is about leadership, and I think it is absolutely important. 

As you know, I have been talking to you since this summer, a 
little, small issue to some. It is relative to the fact that we found 
out that there were 643 employees assigned to duty that require 
a security clearance. They were working for the Department with- 
out the completion of the clearances. 

I had asked you for the demographics of those individuals. As of 
this date, I don’t have the information. 

I know you have been busy, but can you give me some indication 
when I can expect to receive the demographics of those 643 employ- 
ees? 

Mr. Clancy. Yes, sir. First of all, my apologies that you have not 
received that information — 640 individuals, I am assuming may be 
Department-wide, I think within the Secret Service, we did have 
people working that did not have their security clearances. I think 
it was much less than that, but we will get you an answer in the 
coming days on that 

Mr. Thompson. Okay. Well, it was Department-wide over a 5- 
year period, but my point is, some of us run up on men and women 
around the country who indicate that, I am trying to get employed 
with the Secret Service, but they tell me, I can’t get considered for 
employment, because I haven’t been cleared. 

I can’t go to training, I can’t do a lot of things. But it troubles 
some of us when we are already employing people whose job re- 
quires clearance on the other hand. 

So, I don’t know if that is favoritism or what. But it is real con- 
cerning. 

Mr. Clancy. I will follow up on that, sir. 

I can tell you that we don’t look at that, diversity, in terms of 
who gets a security clearance, who does not. 

In this case, the one that you referenced — and I will speak for 
the Secret Service — we were delinquent as we went through this 
hiring process, we did not get people their security clearances in a 
timely manner. 

Some — and they were assigned to positions outside of Wash- 
ington, for the most part. But what we have done, now, is we have 
brought in some contractors, additional 14 contractors, to ensure 
this never happens again where someone goes through our training 
and — when they get their graduation — when they graduate, they 
should have their clearance. So that has been resolved now within 
the Secret Service. 
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Mr. Thompson. So — it is your testimony that — there is nobody 
working for the Secret Service right now without a security clear- 
ance? 

Mr. Clancy. That is correct. To the best of my knowledge, that 
is correct. 

Mr. Thompson. Can you verify that for the committee? 

Mr. Clancy. Yes. Yes, sir. 

Mr. Thompson. Thank you. I yield back, Mr. Chair. 

Mr. Perry. Chairman thanks the gentleman. The Chairman now 
recognizes the gentleman from Georgia, Mr. Loudermilk. 

Mr. Loudermilk. Thank you, Mr. Chairman, and thank you all 
for being here. 

This is especially troubling for me as we look back over the his- 
tory of this incredible agency, the Service. It is an icon of what I 
think is American exceptionalism and the actions that we have 
seen take place — of course, it tarnishes the reputation of the Serv- 
ice, but more so, I think it really tarnishes the image the American 
people have of what they have always elevated as the exceptional 
service, not just in the Nation, but in the world. I think it is imper- 
ative that we address these issues, not just in hindsight but going 
forward to make sure that we restore the trust of the American 
people, the trust of Congress and the trust of the protectees. 

Mr. Roth, you said something in your written statement that 
really struck me here: “The Secret Service has certainly taken 
steps to address these challenges, but not always successfully. 
These persistent challenges may not be easy to resolve through ex- 
peditious actions, such as suspending employees and issuing new 
guidance. They may require more fundamental change that ad- 
dresses the root of the misconduct.” 

I think that is where we need to focus. What is the root, in your 
opinion? What is the root of the problem? 

Mr. Roth. When you look at guidance with regard to creating an 
ethical culture, as they say, it comes in 3 sort-of dimensions. One 
is tone at the top, which is not just at the very top, but all through 
leadership of an organization. The leaders have to set the exact 
right tone. The second is to have a code of conduct and a code of 
ethics that is truly meaningful. The third is to enforce that code 
of conduct, you know, in a way that expresses to the rank-and-file 
that you mean what you say with regard to that tone at the top. 

So you have to look at all three of those things. As Director 
Clancy said, I think the middle part, the code of conduct was not 
there until Cartagena, and there have been steps that they have 
taken since Cartagena to establish a more rigorous policy. 

So that is certainly an improvement that we think is well-de- 
served or a positive step in the right direction. But again, it has 
to be tone all the way through the organization, as well as a mean- 
ingful enforcement of that code of conduct. 

Mr. Loudermilk. I have a time line of misconduct that went 
back just prior to Cartagena, but it goes back to 2011. Up until 
that time, I don’t recall if — there is misconduct in any organization, 
but was there a history like we are seeing now, Mr. Roth, that you 
were aware of, prior to the last, you know, 4 or 5 years? 
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Mr. Roth. I am not aware of it. I just don’t have any insight into 
it. Certainly, we are only as good as the audits we do and the in- 
vestigations we do and we didn’t have anything before that. 

Mr. Loudermilk. Thank you. 

Mr. Clancy, I applaud your efforts. You have got a difficult task. 
You have been in the agency for quite a while. Do you recall that 
there was the level or the consistency of misconduct previously in 
the agency or is this just something new? 

Mr. Clancy. I think any agency has always had some mis- 
conduct, and the Secret Service has had misconduct in the past. I 
think it has — more attention has been brought to this misconduct 
in the last several years and I — and that is a good thing, and I ap- 
plaud the inspector general’s office for that. This has to be brought 
out in the open, these misconduct episodes, otherwise we won’t cor- 
rect it. So — yes. 

Mr. Loudermilk. You also — make sure I understood it right. You 
said that you are trying to — benchmark your disciplinary actions of 
other agencies. Is that what you were referring to looking at other 
agencies? 

Mr. Clancy. Yes, my understanding when the Table of Penalties 
was built out, our legal team worked with other agencies to see 
what they were doing from a discipline standpoint, what their table 
penalties were. We took their best ideas, best practices and built 
ours. 

Mr. Loudermilk. I would suggest you guys have to be a little 
stronger, a little better. It is the nature of the work that you do 
is so important to this Nation. One last thing, I think we have 
talked a lot about culture in here in the — and that is true. 

It is — look, I think what you are getting at is the culture of the 
agency, it is the esprit de corps. It is — you are in the Secret Serv- 
ice. You have an obligation to uphold the integrity, the honor, and 
the dignity of this agency. I think that may be what is missing 
somewhere. 

Just real quickly. I was going over this time line and there seems 
to be a common element with a lot of these. Look at Cartagena. Al- 
cohol was involved. June 2/13 — of 2013, alcohol. November 2013, 
abuse of alcohol. December 2013, alcohol. March, alcohol. June 
2014, alcohol. There seems to be this continual cycle of alcohol 
abuse associated with this, which from my experience in the mili- 
tary, usually indicates that there is a morale issue. I will let you 
comment and I will yield back after that. 

Mr. Clancy. Yes. You are correct, Congressman. We do have a 
morale issue, and a lot of it is because of our staffing, and that is 
one of the things we need to do — work with our staffing so that if 
we can build up the staffing level, we can get more training, which 
our people want, get a better quality of life, which will help their 
morale as well. 

But again, to your point here today, the accountability in dis- 
cipline matters also helps that morale. Are we going to hold people 
accountable? I will tell you, the episodes since I have been here — 
you mentioned the March 4 incident where an individual — two in- 
dividuals after a retirement party drove onto the White House. I 
can tell you that retirement parties now are — I don’t know of any 
that are taking place. People got that message. 
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This — what we are talking about today, PII. People are getting 
this message. So unfortunately, it takes these significant errors — 
misconduct to resonate sometimes with our people. But I do want 
to also say one thing. Less than 1 percent of our people are in- 
volved in this misconduct. It truly — 99 percent, as some of you 
have mentioned today, are doing the right thing. But that is — and 
they are working very hard — but we have to focus on that less- 
than- 1-percent, because we are held at a very high — and rightfully 
so — we are at a high level. 

Mr. Loudermilk. I hope you can get the Service back to the 
point to where people aren’t doing the right thing because they are 
afraid of the discipline, but they are doing the right thing because 
they are dedicated to the job, to the Service, to the spirit of the 
service and their oath to the Constitution. 

Thank you, sir. Mr. Chairman, I yield back. 

Mr. Perry. The Chair thanks the gentleman. The Chair now rec- 
ognizes the gentlelady from California, Mrs. Torres. 

Mrs. Torres. Thank you, Mr. Chairman. Director Clancy, just to 
be — to have some statistics here on the record. According to the 
Partnership for Public Service, the agency is 74 percent male. Is 
that correct? 

Mr. Clancy. Seventy-five percent. I can — let me just check that 
real quick. That sounds correct, but I — let me just 

Mrs. Torres. Seventy-two percent white, leaving it severely out 
of step with other agencies. Women make up 25 percent of the 
agency’s workforce, but only about 11 percent of the agents and 
uniformed officers. 

Mr. Clancy. You are correct. Yes. 

Mrs. Torres. You talked about your outreach efforts with uni- 
versities in targeting certain areas of the Nation. Have you en- 
gaged an employment agency to help you or to advise you in find- 
ing a more diverse workforce? 

Mr. Clancy. I am not aware that we have done — taken that step 
yet. It is a — it is an excellent suggestion that we may look into. 

I will tell you that when we go to these different areas of the 
country, we have a very diverse group, recruiting group that goes 
out to try to encourage females to apply as well as across the board 
in diversity. So 

Mrs. Torres. Are you targeting also the military or 

Mr. Clancy. Yes. 

Mrs. Torres [continuing]. Law enforcement agencies looking 
for — you know, there are great people working in law enforcement. 

Mr. Clancy. Absolutely. We go to military bases, and again, we 
run these, what we call ELACs, these Entry-Level Assessment 
Centers, so that, for example, at a military base, if you want to 
apply for a job with the Secret Service, we can do a testing ini- 
tially. If you pass the test, that very day, we can do a super inter- 
view of you. If again, it looks like you are a good candidate, then 
we will move you right to a polygraph, all within a weekend to try 
to speed up that process. 

But absolutely, the military bases — and we have found person- 
ally that people that have had a military background serve us very 
well. 

Mrs. Torres. Well, they have a high work ethic. 
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Mr. Clancy. They do. 

Mrs. Torres. They understand the pecking order, they under- 
stand the need to serve. 

I am disturbed by the incidents. I am happy to hear that it is 
a reflection on less than 1 percent of the workforce, but by no 
means does it make me feel better or safer. So would you say you 
have an agent problem or do you have a management problem? 

Mr. Clancy. It is a management problem, and it starts with me. 
There is no question it is a management problem, it is a leadership 
problem that I have got to find an answer to. 

Mrs. Torres. Have you taken steps to ensure that when we are 
clamping down on agents, that tougher disciplinary actions are 
taken upon the people who supervise them? 

Mr. Clancy. Yes. Supervisors are held accountable. Again with 
this — we put this out — again, trying to be transparent — to show 
our workforce how 

Mrs. Torres. Are there policies in place to ensure that whistle- 
blowers are protected? 

Mr. Clancy. Yes. Everyone in the service knows that whistle- 
blowers perform a vital function, and they cannot be — there is no 
retaliation, there is no — you know, you have got to let them go, yes. 

Mrs. Torres. So there are disciplinary steps that the agency 
takes when the Department rules are violated. 

Mr. Clancy. Yes. 

Mrs. Torres. There are disciplinary steps that the Department 
takes when our laws are broken. 

Mr. Clancy. Yes. 

Mrs. Torres. The agents are read Miranda rights. Is that what 
you were referring to in an earlier question? 

Mr. Clancy. No, they are not read Miranda rights. They are 
read either Kalkines or Garrity, I will let the inspector general cor- 
rect here if I am wrong on that. But that is what they are read, 
yes. 

Mrs. Torres. I come from the civilian part of law enforcement, 
so pardon. So criminal charges are filed, whether they are felony 
charges or misdemeanor charges. What are your steps? What steps 
do you take during that process? 

Mr. Clancy. Well, if criminal charges are filed, we typically im- 
mediately move to removing the security clearance so that this in- 
dividual can no longer have access to any of the protected facilities, 
any access to any of our protectees, of course, or any of our 

Mrs. Torres. So what happens to the rest of that immediate de- 
partment that are working with that employee now in the process 
of a criminal investigation and their supervisors? 

Mr. Clancy. If it is a — at that point, we don’t have — we remove 
all of their badges, we remove their equipment, and then it goes 
through the normal course of the criminal justice system. 

Mrs. Torres. My time is out. But I — what I am trying to figure 
out is if you have a rotten apple, how do you ensure that the whole 
bowl isn’t bad? 

Mr. Clancy. Yes. We can remove them very quickly in that case 
when there are criminal charges. Mr. Chairman, if I could just cor- 
rect the record for one item. Ranking Member Thompson had asked 
me about the security clearances. Our agents and officers, some of 
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them that are in training now have not had their clearances set- 
tled. They will by graduation. 

So anyone who graduates from our academy will have a security 
clearance. But while they are going through training, some of them 
may not have. 

Mr. Thompson. But as of this summer when we talked, that was 
not the case. 

Mr. Clancy. That is correct. That was not the case. You are ab- 
solutely correct. Yes. 

Mr. Thompson. Thank you. 

Mr. Perry. The Chair thanks the gentlelady. The Chair now rec- 
ognizes the gentleman from Florida, Mr. Clawson. 

Mr. Clawson. Sorry to hear about your dad. 

Mr. Clancy. Thank you, sir. 

Mr. Clawson. Greatest generation. 

Mr. Clancy. It was. I know many here have lost their fathers 
from that generation, and I think we have all learned from them. 

Mr. Clawson. Was your dad a vet? 

Mr. Clancy. He was, yes. 

Mr. Clawson. Yes, I know all about this. I just lost my mom and 
so, you know, it is the generation that the glass is half-full, put the 
team first, work hard and go to church on Sunday and the rest an- 
swers itself, right? 

Mr. Clancy. Yes, sir. Absolutely. 

Mr. Clawson. But we were lucky to have those kind of folks. 

Mr. Clancy. Yes, sir. Thank you. 

Mr. Clawson. Although, you know, we do a little bit for our 
country now, they — without ever saying it, they remind us that 
compared to what they did, we don’t do much. 

Mr. Clancy. That is correct. Yes, sir. 

Mr. Clawson. I have full respect and admiration for you and 
your dad. 

I have always thought of organizational culture as being the com- 
bination of performance and behavior, and therefore, how your 
agency and your employees think of themselves is dependent on 
those two things because they all see it. 

When bad behavior is not dealt with quickly, it impacts that cul- 
ture and how we view each other because it discourages good per- 
formers that — you know, that are doing their job every day. 

Everything tells me that these incidents of bad behavior ought 
to be isolated, put up in lights for everyone to see, and that action 
needs to be taken quickly. That that really is the responsibility of 
leadership. Therefore when it drags on and on, when it drags on 
and on, it really sends a bad message to this corporate culture that 
you referred to earlier. 

Why so slow? I mean, you know, systematic, shmistamatic, you 
know. You are the chief and you have got head of Homeland Secu- 
rity. You know, I mean, let’s go. Let’s take some actions so that you 
can do what is right and preserve the culture for you all your great 
performers. Am I missing something on that? Why so slow? 

Mr. Clancy. No, you are correct. Again, certainly if there is any 
criminal activity it is much quicker. We can remove their security 
clearance right away. With other types of misconduct as we are 
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talking about in this case it does take time for the full investiga- 
tion. 

Again, in transparency we had the OIG handle this investigation 
to do a very thorough investigation, and then once the investigation 
was completed, then we could move forward with that discipline. 

But under Title V, the employees, Federal employees, are given 
certain rights, and we follow that process, but eventually we get to 
where we need to be. Eventually we do get to where we need to 
be. 

Mr. Clawson. Well, it is going pretty slow for my taste, and I 
think for the sake of your organization I would be pushing this as 
hard as I can, because typical folks that run large organizations 
don’t understand this kind of length of time for — you know, it just 
festers because you don’t put it behind you. 

Mr. Clancy. Yes, sir. 

Mr. Clawson. So, you know, my point is that is let’s get going. 

I have found in organizational change that if you don’t change 
a third of your people in positions of responsibility you won’t 
change the culture, because they are going to out -wait you. They 
always out-wait you. 

If you change more than 50 percent then you may have a prob- 
lem with the institutional memory that you discussed earlier. 

I am really glad you brought diversity of thought and of experi- 
ence into your direct reports, but they will out-wait you below that. 
So just, you know — no rule of thumb is 100 percent for sure, but 
if I am sitting in your chair and not changing a third of my man- 
agers, and you are thinking you are going to change your organiza- 
tion, good luck. Don’t believe it. 

So you know, I don’t know if you have thought of it in numeric 
terms, but let’s get — a performance culture going without washing 
away the memory of the successes of the past. I am all for having 
both, and I don’t think if you implied this in your early comments, 
I don’t think you — it is one or the other. Change your culture, and 
preserve the successes of the past. Does that make sense? 

Mr. Clancy. It does, yes, sir. 

Mr. Clawson. Okay. Is there anything about what I have said 
that you would disagree with? 

Mr. Clancy. No, I wouldn’t sir. 

Mr. Clawson. Okay. Well, look, we want you to succeed. We 
could talk all day about whether you should be in the job or not, 
but you are in the job, and we need you to be successful. So any- 
thing I can do, our group, we want you to succeed. 

Look, I really like the tone at the top, so let’s get them. 

Mr. Clancy. Yes, sir. 

Mr. Clawson. Thank you. 

Mr. Perry. The Chair thanks the gentleman. The Chair thanks 
the gentleman. The Chair now recognizes the gentleman from 
Georgia, Mr. Carter. 

Mr. Carter. Thank you, Mr. Chairman. Thank all of you for 
being here. 

Mr. Clancy, how many times have — when did you get into the of- 
fice? When did you become the acting director? 

Mr. Clancy. The acting director, October 6, I believe. 

Mr. Carter. October 6? 
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Mr. Clancy. Of 2014. 

Mr. Carter. Of 2014. How many times have you appeared before 
Congress since then? 

Mr. Clancy. I believe this may be my sixth or seventh. 

Mr. Carter. You know, I have been here since January 6 and 
I think this is the fourth time I have seen you. I am just — I mean, 
obviously, we have got concerns here. There seems to be an on- 
going problem. 

Mr. Clancy. Yes. 

Mr. Carter. As you might know, I am very fortunate to have the 
Federal Law Enforcement Training Center in Glynco, Georgia, my 
district. I am familiar with the training that takes place with the 
Secret Service agents down there, and I think they do an excellent 
job, but I also want to remind you of the Protective Mission Panel 
that came out and actually said that the amount of training that 
the Secret Service agents were getting was far below what is 
should be. 

In fact, I think at one time, they said it was equal to only 25 
minutes for each 1,300 uniformed officers? 

Mr. Clancy. Yes. 

Mr. Carter. What are we doing to change that? 

Mr. Clancy. Well, you are absolutely correct, and I have been 
down to your Federal Law Enforcement Training Center and they 
do a great job down there, and they help us as we try to build our 
staffing levels. In terms of what we have done — uniformed division 
99% have gone through a building defense exercise training mis- 
sion — it is a 10-hour block. 

Additionally, approximately 700 of our uniformed officers have 
gone through a 3-day training period where they do their firearms, 
their emergency medicine, their control tactics — a number of 
things. 

The agents on the President’s detail — we have increased the 
number of agents on the President’s detail by November — I am 
sorry, by the second quarter — early January, we will have in- 
creased the numbers there by 85, which is what was recommended 
by the blue-ribbon panel, and that will help their training. 

So we have increased training by 85 percent on the President’s 
detail in this past year. 

Mr. Carter. Okay, well, specifically, let’s get to what we are 
here about today. That is about Chairman Chaffetz and that situa- 
tion. 

Inspector Roth has stated that several of the agents that violated 
the Secret Service and the Homeland Security policies when they 
accessed his records. This was criminal offense, don’t you think? 

Mr. Clancy. It is on the books as a criminal offense, yes. 

Mr. Carter. It is on the books as a criminal offense. 

Tell me what you have done. Have these people been fired? Have 
they been disciplined at all? A criminal offense by an agency that 
we hold to the highest standard. 

You know, earlier — I am a little bit frustrated by some of the 
things I have heard, here. Keep in mind that we, up here, are ex- 
perts at spin. And pivoting. My campaign manager — that was his 
favorite word — pivot, pivot, pivot. 



53 


All of a sudden I heard you talking about data. If the data had 
been better-protected — give me a break. If they wanted to see this, 
they were gonna see it, I don’t care how the data was protected. 

How can you let this go on? Why haven’t you fired these people? 
They knew this was wrong. Don’t you agree? Don’t you agree? They 
knew this was wrong. 

Mr. Clancy. I do agree, and certainly, there is misconduct here, 
the discipline has been proposed for those GS-15 and below. But 
the data is also important. As a side step. 

Mr. Carter. I understand that, I respect that, and I acknowledge 
that it is important, that it be protected. 

But still, the basic premise here is that they knew what they 
were doing was wrong. 

Mr. Clancy. Yes. Looking at the OIG report, they should have 
known what they were doing was wrong. Some of them, I think, 
will acknowledge 

Mr. Carter. Should have known? To an agency that we consider 
to be — to hold at the highest level? 

Mr. Clancy. Right. 

Mr. Carter. I just can’t go along with that. I mean, even you 
yourself said it was inexcusable and unacceptable. It is. It deserves 
discipline. 

Look, I am a small businessman. I have got employees as well, 
and I can tell you, when something like this happens, and I am not 
trying to tell you how to run your business, but you know as well 
as I do that when you got a cancer, you gotta get rid of it. Other- 
wise, it is going to destroy your whole business. You have got to 
get rid of this cancer here. You have got to set an example. You 
have got an opportunity right here to set an example, because what 
they did was wrong. They knew it was wrong. They deserve dis- 
cipline. They deserve to be let go. 

Mr. Clancy. They deserve discipline. We do look at the whole 
picture here, too. The whole person. 

Some of these people have spent 28 years with no discipline in 
their history. Some of them self-reported. Some of them — they are 
obviously all very remorseful. 

But it was wrong? Yes. But we do look at the whole picture and 
the whole person of their career. 

Mr. Carter. I get that. I want to make sure that the punishment 
fits the crime and I understand that, and you should look at their 
whole career. But at the same time, again, you have been here six 
times since you took office. 

Mr. Clancy. Yes. 

Mr. Carter. We want you to succeed. We don’t want to see you 
fail. 

Mr. Clancy. Yes. 

Mr. Carter. We don’t want to see you here anymore. That is es- 
sentially it. We want you to do this. We want you to do well, but 
we gotta have your help. 

Mr. Chairman, I yield back. 

Mr. Perry. The Chair thanks the gentleman. 

The Chair now recognizes the gentleman from Oklahoma, Sen- 
ator Lankford. 
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Senator Lankford. Gentlemen, thank you. Long day — we have 
still got a little ways to go, to be able to bounce you some ques- 
tions, I appreciate it very much. Let me just state a couple things 
that I picked up from a lot of the conversation here today. Then 
I want to walk through multiple questions. 

There are a lot of issues with Secret Service. That has been well- 
documented, and I want to talk about that a little bit. 

I would say to you, I do disagree with one of the findings of the 
panel, I do think someone from the inside needs to be there to be 
able to fix it. 

Someone from the outside that doesn’t have the same law-en- 
forcement background or doesn’t have the same sense of corporate 
identity with Secret Service walks in as an outsider and has a dif- 
ferent opinion on it. Someone from the inside can walk in and say 
I am one of us and part of us and can turn some things around. 

So I appreciate that you are there because there is obviously 
work to be done. I am gonna come back to that in just a little bit. 

Mr. Roth, let me ask you a question. Is it your sense that for 
these individuals that accessed this database it was the first time 
for them to access it — this database like this? Did anyone ever ask 
them, you know, gosh, did you just happen to say, gosh, maybe I 
should go look at Jason Chaffetz’ records? Someone said, well I 
think, maybe, we could get access to that. 

Or did this look like this was a pattern of behavior, that if they 
are interested in someone they can go pull it? 

Mr. Roth. I think it ran the gamut depending on the agent we 
talked to. Some of them didn’t think it was wrong at all because 
what they called it was “our database”. It was a Secret Service 
database unlike, NCIC, or TECS, or one of the other, sort-of larger 
criminal databases, this was run by the Secret Service and saw 
nothing wrong with it. 

Others didn’t understand that it was wrong until after they did 
it, and then they realized, well, I probably should not have done 
it. 

Senator Lankford. There is a training that happens multiple 
times a year, both orally and electronically — there is, your com- 
puter when you start it up there, it says this is for official use only. 
It is still your perception that some individuals just kind-of ignored 
all of that and said it is our database, we can do with it what we 
want. 

Mr. Roth. That is correct. 

Senator Lankford. Okay. Well, the problem with that is, if they 
can pull any Member of Congress, if they can pull any individual 
there, that also means the new neighbor down the street, I can go 
check my records and see if there is, you know, something on the 
new neighbor down the street. When their daughter starts dating 
some new guy they can go pull his family and go pull the records 
on it. 

If this is someone they don’t like, they can pull the records. 

What we saw from the VA — and we will talk about this with 
GAO in just a moment — but the VA became a whistleblower there, 
and we found out that their employees that were then just pulling 
records, that were medical records on someone they didn’t like as 
a whistleblower in the process. 
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The challenge that we have here is access to data, you know, it 
is official and nonofficial and how do we actually direct this. 

So, based on your perception and walking through this with Se- 
cret Service — is it your perception this has been an on-going issue 
for some employees just to be able to use that database as just I 
can go look at it, whether it is official nonofficial, and they blur 
those lines? 

Mr. Roth. That is the sense we got from at least some of the 
agents that we interviewed who had accessed the database. 

Senator Lankford. Okay. Mr. Willemssen, how do we deal with 
this? Social Security has identified 50 different individuals that 
were given merit bonuses at the end of the year, but also during 
the year had accessed information for unofficial purposes and had 
looked people up. 

VA has this issue, which we can talk about in greater length — 
with someone grabbing information to be able to look at it — that 
is a whistleblower. 

How many agencies have good systems in place to be able to 
audit, at least, how individuals access these sensitive databases? 

Mr. Willemssen. This particular access problem is probably the 
most common issue that we see when we are doing detailed infor- 
mation security audits. Too many people have access to things they 
don’t need access to. It is not part of their job description. They 
don’t have a need to know, but yet, they are given access. 

So access is a real issue. It is one that we — I would say that is 
probably the most frequent one we come up with. 

Another issue that is interesting in this case is when you are col- 
lecting PII you — one of the things you do is end up scheduling a 
records notice with NARA — National Archives and Records Admin- 
istration — to among other things, tell them how long you are going 
to keep the files before you dispose of it. 

I was kind-of curious about why an application file from 2003 
would be kept 12 years later. Those kinds of things should be dis- 
posed of fairly quickly. Hopefully, that is part of what the Service 
will be doing going forward. 

You are supposed to schedule those records out and dispose of 
them at a certain date. Sometimes 1 year, sometimes 5 years. 

Senator Lankford. Can you pause on that? 

Mr. Clancy, has that been taken care of at this point? There are 
two different sets of information. Both the electronic records that 
are not applicable anymore, and paper records, because it is my un- 
derstanding that are still some offices though the access point has 
been changed electronically, if you go into a file room, those old ap- 
plication files may still be there in paper form, as well. 

Has that been dealt with as well? 

Mr. Clancy. Yes, we are moving forward too, for example, the 
applicants. Every 2 years those files will be purged. Right now 
there is an investigation going on with the inspector general, so 
some of that will be delayed slightly until they’re through the in- 
vestigation, but that is the plan forward. Also, again, with the ap- 
plicants in mind, 95 percent of the people that had access before 
no longer will have access because of the new system. 
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Senator Lankford. Is that both paper and electronic for those of- 
fices around the country, do they still have access to paper 
records — somewhere in a filing cabinet? 

Mr. Clancy. I will have to get back to you with a good solid an- 
swer on that. I think we have moved away from a lot of the paper, 
but let me give you a better answer. 

Senator Lankford. Okay. That would be something wise to be 
able to evaluate as well. Both the electronic version, the access 
points, and then obviously the paper version to make sure that that 
is also purged. It may be, just if you have access to that room, you 
also have access to those files, and it is part of the challenge here. 

Let me come back to Mr. Willemssen. 

Which agency would you identify and say this agency is a good 
model example of how to handle personal identifiable information? 
They are auditing well, they are tracking well, they are a model 
agency? 

Mr. Willemssen. Don’t have one. No model agency. 

Senator Lankford. That is somewhat depressing. 

Mr. Willemssen. Yes, it is. Now, the more optimistic note, since 
the OPM cyber disaster, this has become a major priority. OMB 
has charged up, it has definitely elevated its priority on this. Agen- 
cy heads now recognize that this is a critical issue that needs to 
be addressed. 

You know, and when we first announced the information security 
area as high-risk, first few years I was told, you know, you are 
Chicken Little, the sky is falling. 

I don’t hear that anymore. 

Senator Lankford. Sky fell. 

Mr. Willemssen. Yes. 

Senator Lankford. Okay. So the challenge that we have here is 
dealing with — let me just give you one example of VA. This is 
something GAO has for years and years identified issues with VA. 

Mr. Willemssen. Yes, sir. 

Senator Lankford. How does this get better? How do we prevent 
unauthorized access of medical information and of private informa- 
tion for our veterans? 

Mr. Willemssen. Veterans Affairs has a significantly high per- 
centage of systems that are considered high-impact systems — that 
is, the disclosure of data or modification of the data because of the 
medical records, is considered to be very severe in terms of its pos- 
sible impact if it is lost, stolen, or reviewed by others. 

Given that, you have to put much stricter controls in place, in- 
cluding monitoring users and what they are doing, and if they have 
any atypical patterns in use, and the 

Senator Lankford. Is this just an audit, or is this an algorithm 
that is created? 

Mr. Willemssen. This is an audit and an algorithm. You can do 
it automatically. 

Senator Lankford. Right. 

Mr. Willemssen. It is contained in the National Institute for 
Standards and Technology guidance for high-impact systems. Like 
I said, VA has a significant percentage of high-impact systems 
where you have got to put these kind of controls in place to try to 
prevent the kind of situations that you described. 



57 


Senator Lankford. Mr. Chairman, I would like — I don’t know if 
we are going to do a second round of questions, but I do have addi- 
tional questions for Director Clancy as well. 

Mr. Perry. If you don’t mind, I will suspend. 

Thank you, sir, and I will suspend your questions at the time 
and recognize Mrs. Watson Coleman for a second round. 

Mrs. Watson Coleman. Mr. Chairman, you know, I know we 
were here. I know that my colleagues wanted us to sort-of focus on 
what happened to Chairman Chaffetz. 

I think if I were him — if I were he, I would probably want this 
to just go away now. Take care of the business that needs to be 
taken care of, discipline the people that need to be disciplined, 
learn the lessons that you need to learn, but, you know, I just real- 
ly don’t think he needs to have this or wants to have this as a con- 
tinuing story. 

But it does speak to other issues that we are identifying, and it 
does speak to a culture or way of thinking or way of doing business 
or the way we — they — we perceive ourselves on the inside that 
needs to be addressed. I know you have expectations for that 
changing. 

I would like to know any steps that you are actually taking to 
change the culture in the form of action. What happens with your 
executive level? What happens with the level beneath that, the su- 
pervisory level? What happens with the rank-and-file level? 

How are you addressing the need to get our agency to think more 
differently about how we come to work? What we do at work? We 
don’t sleep at work. We don’t sex text under any circumstances. 
You know, we don’t look into files that we don’t have a responsi- 
bility, a need to look into. 

Is there going to be some sort of a fail-safe mechanism that 
shows when the file is being accessed by someone who shouldn’t be, 
or has no reason to be? I would like to know some steps that you 
are taking. 

Thank you. Thank you, Mr. Chairman. 

Mr. Clancy. I just think, in terms of the overall culture here, 
one of the things we are doing is we are trying to have our work- 
force take ownership of this agency. It is their agency, and — let me 
just give you one example. 

Just 3 or 4 weeks ago, we started a new program. It is a 
crowdsourcing type of service on our intranet where our agents and 
our officers and all of our employees — professional staff can send 
in ideas, suggestions, what we should be doing better, what should 
we be looking at, and then they get other people from the work- 
force looking at that, and they can “like” that, for — better term, 
and then it forces the executive staff to look at that. 

We have seen this as a very positive — already within a few 
weeks, we have had close to 200 hits of — we call it Spark — where 
people have taken ownership of their agency. 

Now, I think that is where we have got to get to that point. It 
is management, it is my leadership, but additionally, it is the indi- 
viduals who have to take ownership of this agency. I will say again, 
99 percent of our people do have that ownership. 

Mrs. Watson Coleman. So, Mr. Clancy, I have been in the Exec- 
utive branch of Government, and I know it takes that kind of ex- 
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pectation, but it takes a plan of action, and it takes whether or not 
you are hiring people from the outside who look at these issues and 
work through groups, and you work down through the organiza- 
tion. 

So at some point I would like to know if you are planning to do 
those kinds of action steps. 

Then the last question is — I really do want to know — is there 
some sort of way that there is a notification of accessing informa- 
tion when you are not — when it is out of order for what you are 
doing, it is not related to your case? Your identification number to 
get into it signals whether or not you are or are not the right per- 
son to be accessing this information? As a follow-up to Senator 
Lankford’s concerns. 

Mr. Clancy. My understanding is — and the other gentlemen in 
here may be able to answer this better — but it requires constant 
monitoring and auditing, and there is no automatic notice that 
someone has accessed someone’s data inappropriately. It has to be 
constant monitoring. 

Each 

Mrs. Watson Coleman. Who 

Mr. Clancy [continuing]. There is an administrator for each of 
these buckets of information, and that administrator has to control 
who has access — who has the need to know that information. 

So it is up to the administrator — so with our human resources, 
we have approximately 260 that would have access to our applicant 
data with this new system, and that administrator would have to 
ensure that anyone else who enters has access they have approved. 

Mrs. Watson Coleman. Thank you. Did you want to say some- 
thing to this, Mr. Roth — respond to this? 

Mr. Roth. If I may — yes, if I may, just as an example, the DHS 
TECS system is one in which, for example, if Director Clancy had 
created a record there and then I accessed that record, Director 
Clancy would get an e-mail that I was the one who accessed the 
record. 

So not only what Director Clancy was talking about, which is — 
you know, you can run reports by the system administrator, but 
there are also sort of real-time controls on modern IT systems that 
weren’t present in the MCI system. 

Mrs. Watson Coleman. Thank you, Mr. Chairman. I yield back. 

Mr. Perry. Chair thanks the gentlelady from New Jersey. Chair 
recognizes the gentleman Mr. Lankford. 

Senator Lankford. Thank you. 

I think the audit system is gonna be the key. At whatever per- 
centage that that is, to be able to have, for this computer at this 
spot, here is everything that you ran, and that they know at some 
point, someone is going to just spot-audit. 

You can’t go through all of it. There is not a need to go through 
all of it. But just the simple accountability that sits out there some- 
where, to know there is an algorithm that is running, to say, “hey, 
there is a search for files that don’t seem to be consistent with offi- 
cial records.” 

There is a spot audit occasionally, that you may come in and face 
discipline, saying, “you pulled records from your neighbor down the 



59 


street, or from someone you don’t like.” All those things, I think, 
just become important. 

We have a tremendous number of people that work in the Fed- 
eral workforce that are great people, that generally love the coun- 
try and love to be able to do what their job is. The problem is these 
small — as Mr. Clancy, as you mentioned — the 1 percent on it. 

I had to smile as we were walking through some of the conversa- 
tion about Secret Service and picking on Secret Service today. I 
hope we are really not picking on you. This has become the latest 
example of multiple examples, whether that be VA or Social Secu- 
rity or others became the visual example again. 

But I have to tell you, as I have listened to some of the conversa- 
tion on the dais about challenges with public-relations nightmares 
and employees not doing their job and alcohol abuse and every- 
thing else, we could, quite frankly, flip the tables, and y’all could 
hold a hearing on Members of Congress and have the same accusa- 
tion. 

I would assure you it is more than 1 percent of the Members of 
Congress have some of these exact same issues. So this issue is 
not — is a human behavior issue, but it is also a professionalism 
issue of taking the task seriously. 

So, Mr. Clancy, I am going to give you an unfair list, and just 
to be able to walk through a few things, and I am going to tell you 
this in advance — as I have tried to start walking through some of 
the issues and the recommendations for the Secret Service — it is 
the oldest law — oldest general law enforcement entity in our coun- 
try. It is an incredibly valuable resource to our Nation. 

But my fear is some changes that have been put in place over 
the past several decades — it is not on your watch — have brought 
about some morale shifts on it. What I am trying to figure out is 
how do we shift morale back, and how do we get on top of this? 
Otherwise, it is Whack-a-Mole with the different issues all the 
time. 

Overtime rules seem to come up over and over again as I talk 
to different agents and individuals. Getting some sort of standard 
practice with your counterpart agencies. Accountability of leader- 
ship, so if there is a bad actor, everyone knows that is not tolerable 
in our agency. 

When you actually confront issues, everyone knows that is the 
standard and we are going to live up to it. If there is a bad apple, 
as has been stated, in the group, or someone that is flippant about 
it, everyone kind of works down to that level. 

Priority of new equipment and technology. I find that Secret 
Service is not getting the top priority for some of the newest tech- 
nology and newest equipment among our DHS law enforcement, 
and I think it is demeaning. That sends a false message to Secret 
Service that they are not as valuable as some of the other aspects 
of DHS. 

Their responsibilities seem to be getting cluttered instead of a 
clarity, where it has been historically, for protection and for coun- 
terfeit duties. There seems to be other duties that seem to be kind 
of creeping into it that distract from the core mission here. 

The consistent career track — that seems to be a consistent theme 
that I have heard over and over again, that the career track seems 
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to change, so no one really knows what path they are on here. Am 
I off on any of these at this point? 

Mr. Clancy. No, you are correct, and I will just comment on your 
last — the career track. We did bring in a workforce of agents at dif- 
ferent levels to try to look at the best career track moving forward, 
and we have just announced, a couple months ago, the new career 
track for our agents so that they can plan their future. 

That has been one of the problems. You don’t know if you are 
going to come to Washington, or will you be able to go to Texas. 
So we are, again, listening to our workforce, trying to find solu- 
tions. 

Senator Lankford. That is one of the things you can do if you 
are on the inside and you know full well what is happening. But 
I would encourage in the career track — and y’all have already ex- 
amined this, and go from there — the possibility that individuals 
that are on a previous career track still could finish that out. 

Mr. Clancy. Yes. 

Senator Lankford. They can be grandfathered into that, or, if 
they choose to shift to the other one, they could choose that as well. 
That gives them the option and not feel like the new guys got the 
new stuff, or whatever it may be, but also have something to say, 
“I started on this, I can actually complete this and not feel like the 
rules are changing on me again” as they walk through. 

This corporate identity is extremely important, and is extremely 
valuable. What I fear is that there is a growing sense of lack of im- 
portance of people that are incredibly important to our Nation. 

I never want Secret Service folks to feel like they just guard 
doors for a living. They don’t. They have an incredibly valuable 
role, and the morale, and the — what you set — and the role and the 
standard that you set will be incredibly important for years to 
come. 

If there is a silver lining in this, historically, Secret Service have 
had a really bad time when a President was shot. No one has been 
shot. 

There are just some things that were messed up, and this is 
unique moment for — publicly for the Secret Service to reevaluate 
again, and go, “Who are we? Where are we going? What is our 
clear task?” 

I would encourage you, if there are issues in working with DHS 
and in the scheme of things, these committees need to know it, be- 
cause we want to make sure that all of the DHS families all feel 
equal levels of importance. 

Your Secret Service transitioned pretty quickly, I guess, from 
working in the Treasury to DHS and all the restructuring and you 
are now one of many rather than the big dog of Treasury. That has 
both benefits and challenges, and we need to know and to have 
some way to be able to help communicate in that so that we can 
help actually engage in this because we are not only advocates, but 
we are accountability in the process. 

Today probably feels more like accountability, but we also have 
the desire to be advocates on these roles. So we will need to know 
that. Is that fair? 

Mr. Clancy. That is fair, Mr. Chairman. If I could comment on 
one thing there, sir. 



61 


Senator Lankford. Yes, sir. 

Mr. Clancy. Just to give you some comfort — I know it has given 
me comfort, but I went through this papal visit as well as the U.N. 
General Asembly. I traveled with the Pope and I can tell you, as 
I talk to our agents, our officers and our professional staff, this was 
a defining moment for our agency. As I talk to these people, I 
looked in their eyes, they wanted to be successful. They know the 
issues that have been highlighted, and rightfully so, over the past 
several years. 

This was an unprecedented time in our history and our people 
were determined to make this successful and we did this for NSSEs 
without incident, and our people felt very proud about that and I 
am very proud of our workforce. 

Now having said that, we have got to correct these other things 
too, and we will, but we have got people that are working very 
hard for the American people. 

Senator Lankford. Yes, you do, and we acknowledge that and 
we understand that. But we also don’t want anything to distract 
it. 

Mr. Clancy. Yes, sir. 

Senator Lankford. Mr. Willemssen, let me ask you this as well. 
When we are talking about databases and we are talking about ac- 
cess points, is there any independent agency or agency that is an 
Executive agency that you think has a higher risk or has no system 
of tracking this, old or new, that you look at and say these — of the 
high-risk, these are the highest-risk? 

Part of my question — are the independent agencies — do we know 
for certain that they have auditing process? Because they handle 
incredibly sensitive financial data on Americans. 

Mr. Willemssen. I would point to those agencies who have the 
most PII, personally identifiable information, as reason to make 
sure that they are doing everything they can to protect that. 

So you start with Social Security Administration, who has PII on 
almost every citizen. Veterans Affairs you have already mentioned, 
definitely an issue. Department of Education, probably somewhat 
overlooked because they have a tremendous amount of PII because 
of the student loans, not only on the student, but sometimes on the 
parents. 

So I would be most concerned about where the PII is the most 
significant. 

Senator Lankford. Let me ask you about things like SEC or 
CFPB, fairly new entity for CFPB, they have a tremendous amount 
of data. 

Mr. Willemssen. Yes. 

Senator Lankford. Do we know, on their employees, how they 
have access and the limitations that they have? 

Mr. Willemssen. We know that they have at least three sets of 
data collection that includes PII, maybe more. Arbitration case 
records, bank-deposit account and transaction-level data and store- 
front payday loans. 

Senator Lankford. What is their auditing process for their em- 
ployees inappropriately accessing that? 

Mr. Willemssen. That is something we will have — we can follow 
up on. We did make a recommendation in terms of the — we pre- 
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viously had done work and we made a recommendation related to 
their privacy-impact assessment. 

Whenever you collect PII, you have got to do a privacy-impact as- 
sessment that lets everyone know what are we collecting, why are 
we collecting it, how are we going to use it, how are we not going 
to use it, and when are we going to dispose of it. 

They had not fully done those when we had done our work, so 
made a recommendation on that, and that is something I can follow 
up on and see where they are at. 

Senator Lankford. I know CFPB has just requested, again, an- 
other incredibly large jump in the amount of information that they 
are gathering on Americans and gathering on databases. That 
seems to exceed even what was originally designed in Dodd-Frank. 

Mr. Willemssen. Well, it may be more than what we had men- 
tioned in our report, then. They may have further expanded it. 

Senator Lankford. It is a fairly recent expansion request for ad- 
ditional information. What we are trying to figure out is who has 
access to that, how often do they have access to that? 

Mr. Willemssen. We can follow up for you on the that. 

Senator Lankford. That would be very helpful to this Congress. 

Mr. Willemssen. Yes, sir. 

Senator Lankford. Gentlemen, I thank you for your participa- 
tion today. 

Mr. Perry. The Chair thanks the gentleman from Oklahoma. 

Before I close out, I have got a couple questions. Mr. Willemssen, 
you know, you are from the Government Accountability Office and 
I read through your information. I am just wondering if you can 
provide any clarity on other agencies regarding penalties, regard- 
ing accountability for actions that have been — that they have en- 
gaged in regarding security clearances? That might be out of your 
wheelhouse, and if it is, that is 

Mr. Willemssen. Well, I can talk about numerous — some of the 
major incidents over time. Probably the first major incident we had 
with inappropriate browsing was at the IRS in the mid-1990s. Sev- 
eral employees decided to start browsing celebrities’ tax returns, 
and actually, as a result of that, there was an act passed, the Tax- 
payer Browsing Protection Act, 1997. That, among other things, 
has penalties of up to a $1,000 fine and imprisonment of not more 
than 1 year. 

Mr. Perry. Do you know if anybody was ever prosecuted under 
that? And was subjected to those penalties at all? 

Mr. Willemssen. Do not know that, sir, but I can — we can follow 
up on that with the IRS. 

Mr. Perry. Well, I — actually, I wish you would, just so we know. 

Director, you also mentioned that — I think you are — there are 
some limitations, right, to what you can do regarding account- 
ability, regarding punishment for actions that are beneath the 
standard? Is that correct? 

Mr. Clancy. Yes. We are not able to fire at will. 

Mr. Perry. You are not — okay. So we need to know, the members 
of this board and Congress in general needs to know what you need 
us to do for you to be successful, for you to manage your force, 
okay? We need your direct recommendations and that is, as I have 
said so many times in the room, we want you to be successful, and 
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if we are standing in the way, you need to let us know what we 
can do, what we should do, so that you could be successful. 

You know, I have served for over 30 years the United States 
military, if you are familiar with the Army, and I guarantee you 
if there is a question of your security clearance and your activity 
regarding the security clearance, that is suspended on an interim 
basis, pending an investigation. If you are found to have been at 
fault, and have breached, that is very serious. It incredibly serious 
for the most minor infractions. It is not meant to be a culture of 
punishment and fear, but it is meant to keep honest people honest 
and to raise to the level of importance those things that should be 
important. 

I would just suggest that maybe that would be something that 
you might want to look at for suspension of security clearances, 
which I would imagine in your business, a suspension of a security 
clearance, certainly on an interim basis — maybe on an interim 
basis, but absolutely on a permanent basis means loss of employ- 
ment because you can’t be employed without it, right? And 

Mr. Clancy. That is correct, yes, sir. 

Mr. Perry. That is correct, right? So that gets to where we want 
to be. I would also say this. In looking at some of the testimony, 
we are concerned about how fast you are getting the information. 
You are the top dog and you are in charge and I get it. But I will 
tell you this too. Whether it is in my family, whether or, whether 
it is in the military, whether I was running my business, bad infor- 
mation, bad news does not get better with time. 

There must be a culture of something happened, and who needs 
to know and we get the information up to the top of the chain as 
quickly as possible because you have got to be able to do your job. 
You can’t do it without the information. If your subordinates don’t 
know that that is your expectation, then we are going to have — we 
are going to have this continuation of this, which none of us want. 

You are sitting here in front of us and you are defending your 
agency and your agents, as we expect you to, as you should. You 
will probably also note that 95 percent of your time will be spent 
on 5 percent of your people. Director, I have been out to your oper- 
ation and I have been well impressed and all of us really want to 
hold up the Secret Service as the standard. We want that. Ameri- 
cans really desperately want that. 

So these things are incredibly hurtful, so when we hear them in 
the news, they are hurtful. There is a bigger picture here and I 
think your agents, your employees need to understand it is not 
their system. It is the taxpayers’ database, and is not their infor- 
mation, it is those individuals’ information. 

You don’t own it, those individuals own it. To use it willy-nilly 
is reprehensible in an age when, as the Senator talked about, 
your — all these information that the governments gather, the infor- 
mation that the private sector is gathering and what happens to 
it and who owns it and the force of law under the ACA, which says 
you must submit your information. 

To think and to wonder that somebody might be using that for 
their personal whatever, that is a problem. That is a problem for 
the American citizen trusting their Government, and your employ- 



64 


ees have a direct connection to that. They must — in my opinion, 
they must understand that. 

I want to just speak to this — you have been questioned a couple 
times on diversity and also on filling your ranks and in keeping 
your people employed and keeping them incentivized and so on and 
so forth. We understand that you have challenges, just like every- 
body does, complying with the law and filling your ranks with the 
people that you want to have there. We understand that. I would 
say from this person’s perspective, we want you, I want you to get 
the best. You get the best, all right? You get the best to do the job. 

Finally, I noticed a couple times you said you are trying to be 
consistent with other agencies. I will tell you this, sir. I understand 
where you want to be, but this is the Secret Service, the premier 
organization of your type in the United States Government, in the 
world. 

How about if you lead? If you can’t find somebody that meets the 
standards you want to set in your agency around the Government 
agencies, go outside. Make your own standard. If you need help 
from us, you need to ask for it, all right? 

Thank you very much for your time here. Gentlemen — again — I 
thank you, the witnesses all for your very valuable testimony and 
for the Members and their questions. Members may have some ad- 
ditional questions for the witnesses and we will ask that you re- 
spond to those in writing. 

Without objection, this subcommittees stand adjourned. 

[Whereupon, at 12:02 p.m., the subcommittees were adjourned.] 
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Questions From Chairman Scott Perry for Joseph P. Clancy 

Question la. According to Secret Service officials, USSS policies related to access- 
ing and disclosing PII are available in the Secret Service ethics manual distributed 
to USSS personnel and on the Secret Service intranet site. In addition, Secret Serv- 
ice employees are required to recertify their ethics training yearly. 

What percentage of the workforce actually completes the yearly recertification and 
what audit measures are in place to ensure the workforce is recertifying? 

Answer. Employees certify annually that they are aware of a variety of agency 
policies via the SSF 3218, to include the agency manual sections on Employee Re- 
sponsibilities and Conduct, Table of Penalties, and Discipline. These forms are sub- 
ject to audit when agency offices are inspected by the Office of Professional Respon- 
sibility’s Inspection Division. 

With respect to ethics training, in calendar year 2014, the Office of Chief Counsel 
(LEG) provided ethics training to 100% of those employees required to receive it. 
In calendar year 2015, LEG targeted a goal of 100% compliance and has provided 
in-person training to a total of 587 employees. LEG reports the results of its train- 
ing efforts annually to the Office of Government Ethics. 

With respect to required on-line training, the table below reflects the percentage 
of the workforce that has completed each of the 3 identified courses that involve em- 
ployee conduct and/or treatment of personal information. 

PRIVACY & PII TRAINING COMPLETIONS FOR USSS IN FISCAL YEAR 2015 



Privacy at DHS: 
Protecting Personal 
Information 

Decision Making 
Elements 

IT Security 
Awareness 

Course Title 

March 2015 was 
official rollout for 
this yearly required 
on-line course 


This on-line course 
is required annually 

This on-line course 
is required annually 

Employee Completions * 

5,604 

5,563 

5,385 

Percent of the Work- 
force Completions for 
Fiscal Year 2015 
(Numbers include ac- 
tive and inactive em- 
ployees with no dupli- 
cates) 

89% 

88% 

86% 


* Totals represent “unique employee completion” (both active/inactive employees with no du- 
plicates). 


The enforcement mechanisms (or audit measures) to ensure the on-line courses 
are completed are multi-tiered: 

(1) Self-Check. — Employee logs onto learning management system (LMS) regu- 
larly to ensure he/she is taking the courses by due date(s). 

(2) Supervisory Check. — Supervisor logs onto LMS and reviews his/her employee 
progress and/or the office Training Coordinator provides the supervisor(s) with 
a non-compliant list. 

(3) 2nd Supervisory Check (during evaluation process). — Supervisor conducts the 
employee’s mid-year and final evaluation, reviews the status of prescribed/re- 
quired training, and discusses any other training the employee may need or 
want to improve or develop his/her skill-set. 

(65) 
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(4) Inspection Division Audit. — All field offices and protective divisions are in- 
spected every 4 years by the Inspection Division (ISP). During the ISP review, 
on-line training is audited to determine whether all employees have completed 
mandatory LMS training. 

Question lb. What follow-up is conducted for non-compliant employees who fail to 
complete the training? 

Answer. Employees found to be non-compliant with required courses could be held 
accountable in performance evaluations and could be subject to discipline in accord- 
ance with the established Table of Penalties. 

Question lc. How do senior officials hold mid-level management accountable for 
ensuring their subordinates are aware of and operating within USSS ethics policies? 

Answer. Senior officials are responsible for communicating their expectations, in- 
cluding adherence to Secret Service ethics policies, to mid-level management during 
regular interactions, mid-year reviews, and final reviews. Failure on the part of mid- 
level management to ensure their subordinates are aware of and operating within 
those ethics policies could be reflected in the manager’s performance review and 
could result in discipline under the Table of Penalties. 

Question 2a. According to USSS staff, in 2007, an NSA review called for the MCI 
system to be upgraded. Despite this recommendation, the Secret Service did not 
begin to take any action related to upgrading the system until 2011 and the MCI 
upgrade was not completed until June of this year. Since fiscal year 2011, when the 
upgrade began, Congress has appropriated over $227 million for USSS IT trans- 
formation. 

How much of this appropriated sum was used to modernize the MCI system? 

Answer. The MCI migration was part of the Mainframe Applications Refactoring 
project which utilized approximately $13.49 million to complete the migration into 
modernized systems with security controls and audit logging. The out-year 
sustainment costs are $2 million per year. 

Question 2b. Why did it take so long for MCI to be upgraded and why did USSS 
wait 4 years after the NSA review to begin the upgrade? Was it a funding issue, 
a personnel issue, an acquisition issue, a technical issue, or something else? 

Answer. The MCI upgrade was dependent on the availability of modernization 
funds to obtain the appropriate assets to complete the project. These funds were 
needed to obtain the equipment and skilled personnel to take on the effort of 
transitioning from a period of technological stabilization to modernization. The Se- 
cret Service’s Information Integration and Technology Transformation (“IITT”) pro- 
gram was established in fiscal year 2010. In recognition of the limitations of MCI 
and other mainframe applications, the Secret Service initiated the Mainframe Appli- 
cation Refactoring (“MAR”) project in 2011 to assess the existing 48 applications re- 
siding on the mainframe and migrate necessary capabilities and accompanying data 
to a non-mainframe, secure, highly-available and compartmentalized environment. 
DHS estimated the project would take 10 years to complete. The Secret Service ac- 
celerated the MAR project in 2013 and was able to achieve project closure on June 
24, 2015. 

Question 3a. Since becoming Director, you have launched a series of communica- 
tion initiatives to open lines of communication between senior management and the 
rank-and-file USSS employees. These initiatives include focus groups, an Ombuds- 
man question line, and the new Spark! tool. These actions would appear to “clearly 
communicate agency priorities” and “create more opportunities for offices and 
agents to provide input on their mission” as recommended by the Protective Mission 
Panel. 

What kind of buy-in and participation in these initiatives have you seen from the 
rank-and-file employees? 

Question 3b. What reforms, either completed or in process, have been brought 
about as a result of these initiatives? 

Answer. Given that sub-questions a and b are closely related, the Secret Service 
will address these together. 

Spark! 

On October 19, 2015, the Secret Service introduced the Spark! Program, which is 
a crowdsourcing, web-based communication platform that provides every employee 
with a virtual voice to make suggestions, share ideas, and find solutions to elevate 
our mission and continue to improve the agency. This new program allows senior 
management to communicate directly with the entire workforce on what initiatives 
are being pursued and what the agency’s priorities are as they relate to the posts 
on the site. The Spark! Program, although still in its infancy, has already seen par- 
ticipation by 3,374 employees, which is 54% of the workforce. 



67 


Focus Groups 

In October 2014, the Secret Service selected Eagle Hill Consulting as the primary 
contractor to conduct a Work/Life Integration Assessment beginning in November 
2014. Eagle Hill conducted focus group interviews throughout the Nation with Se- 
cret Service employees. A survey was distributed garnering participation from ap- 
proximately 57% of the total Secret Service population. Eagle Hill completed its as- 
sessment in December 2015. 

Throughout this engagement, frequent communication with the Secret Service 
workforce has been essential in providing the workforce transparent, accurate infor- 
mation about the status of the work/life assessment and its results. Regular updates 
from the director via e-mail and a permanent work/life integration webpage on the 
Secret Service intranet inform employees about near-term measures and next steps 
as the organization responds to critical quality-of-life concerns. For example, an 
agency-wide communication from the director in response to focus group findings 
conveyed new initiatives to provide greater clarity and transparency regarding the 
special agent reassignment process, career track and promotion guidelines for law 
enforcement personnel, permanent change of station move process, hardship policy, 
and enhancements to the organization’s telework policy. 

Now that the Eagle Hill engagement has concluded, focus group results, survey 
data, and external research into Federal agency work/life best practices will be pre- 
sented to the Secret Service Executive Staff. These efforts will inform a series of 
final recommendations to be developed by Eagle Hill regarding development of a 
permanent Work/Life Integration Program. Through the recently-established Work/ 
Life Working Group chaired by the deputy director, the organization will consider 
in detail each of the recommendations and in 2016 begin developing appropriate 
programmatic responses to enhance workforce quality of life on a long-term basis. 

Question 4a. The Protective Mission Panel recommended replacing the fence sur- 
rounding the White House, stating, “a better fence can provide time, and time is 
crucial to the protective mission. Every additional second of response time provided 
by a fence that is more difficult to climb makes a material difference in ensuring 
the President’s safety and protecting the symbol that is the White House.” The 
Panel also suggested the fence be replaced as quickly as possible. Thus far however, 
the only changes have been the addition of some spikes and bike racks which push 
the fence line out a few feet. 

Please provide an update on the USSS plans to replace the fence. 

Answer. In response to the September 19, 2014 incident and the findings of the 
Protective Mission Panel, the Secret Service pursued interim and long-term actions 
needed to address White House fence vulnerabilities. 

To immediately increase the difficulty associated with jumping the fence, the Se- 
cret Service installed temporary security enhancements on the existing fence. These 
temporary measures were meant to bolster security needs while a long-term solution 
is designed and implemented. 

To permanently address all identified fence vulnerabilities, the Secret Service, 
through the National Park Service (NPS), initiated an engineering study to examine 
physical changes that would increase the structural integrity of the White House 
fence against both individuals and an organized, dynamic attack. The study con- 
cluded on May 28, 2015. Based on the results of the study, the Secret Service de- 
cided to pursue the design of two different permanent fence options. Both options 
will be developed concurrently and in enough detail so that they can be presented 
to NPS, the National Capital Planning Commission (NCPC), the Commission of Fine 
Arts (CFA), the District of Columbia State Historic Preservation Officer (DC SHPO), 
and others for consideration. Award of the contract for the permanent fence design 
took place in September 2015. 

Question 4b. When do you expect the project to be completed and at what cost? 

Answer. Prior to completion of the study and the latest fence-jumping incident on 
November 26, 2015, the Secret Service estimated that design, acquisition/con- 
tracting, and construction of the permanent fence project would take a minimum of 
28 months, potentially longer if the NPS, the NCPC, and the CFA require revisions/ 
modifications to the proposed design. 

After completion of the study, negotiations with the architect/engineer responsible 
for the design of the permanent fence, additional discussions with NPS (the Govern- 
ment agency with responsibility/jurisdiction over the fence), as well as a review of 
the November 26, 2015 fence-jumping incident, the Secret Service now believes this 
project will take longer than 28 months. 

The concepts for the permanent fence design were based in part on the security/ 
anti-climb features incorporated into the interim fence upgrades that were present 
during the November 26, 2015 fence-jumping incident. Based on the results of this 
incident, the Secret Service plans to re-evaluate the permanent design concepts, as 
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well as assess the effectiveness of additional features to be incorporated into the 
new permanent fence. 

The fiscal year 2016 Consolidated Appropriations Act included $8.2 million (avail- 
able for 2 years) for security enhancements to the White House fence. This estimate 
was developed prior to the completion of the study and design phase of the project. 
Once the permanent design is developed and additional details about the permanent 
fence are known, the Secret Service will be better positioned to provide an estimated 
total cost to replace the existing White House fence. 

Question 5. As stated in the OIG addendum issued in October, Deputy Director 
Magaw said he informed you on March 25 of the rumor that Rep. Chaffetz had ap- 
plied to the Secret Service. Why did you not take immediate steps to learn more 
information about the nature and validity of the rumor? Why did Deputy Director 
Magaw not inform you that the rumor was the result of improper access and dis- 
tribution of PII information in the MCI database? 

Answer. As previously reported to the DHS OIG, on March 25, 2015, Deputy Di- 
rector Magaw notified me of the rumor surrounding Representative Chaffetz’s appli- 
cation with the Secret Service. At that time, I had no reason to believe that any 
Secret Service databases, including MCI, had been accessed to obtain this informa- 
tion. Like Deputy Director Magaw, I believed it to be an unsubstantiated rumor and 
nothing more. In fact, both Deputy Director Magaw and I were not aware that a 
Secret Service database had been accessed until April 2, 2015. That same day, I 
sent an official message to the entire workforce directing them to immediately cease 
all unauthorized access and dissemination of sensitive information. 

On April 3, 2015, I convened a meeting with his executive staff to inform them 
of the situation. At this meeting, I reiterated the importance of protecting sensitive 
PII and informed them that any violations to Secret Service policy would not be tol- 
erated. 

Subsequently, the DHS OIG’s investigation revealed that subsequent to the April 
2, 2015 official message, no additional personnel accessed Representative Chaffetz’s 
information. 

Question 6. Why did Secret Service maintain applicant information from 12 years 
prior in its systems? Why was such information not purged or sent for archiving? 

Answer. At the time of the events in question, the Secret Service was still gov- 
erned by records retention schedules requiring this type of information be retained 
for 20 years. Due to the fact that these schedules were vetted, approved, and signed 
by the National Archives and Records Administration (NARA), adherence to these 
schedules was a matter of legal compliance. New NARA-approved retention sched- 
ules have now replaced the legacy schedules, and information relating to applicants 
who are not hired is held only for 2 years, unless a formal background investigation 
is conducted. If a formal background investigation is conducted, the case file is held 
for 5 years. 

Questions From Ranking Member Bennie G. Thompson for Joseph P. Clancy 

Question 1. Director Clancy, it was recently reported that a Uniformed Division 
officer was arrested for sending pornographic images to a minor. Prior to his arrest, 
the Secret Service Office of Professional Responsibility became aware of the inves- 
tigation and suspended the officer’s security clearance and took his service weapon. 
How did the Secret Service work with the authorities to make sure that the inves- 
tigation of this officer was not compromised since the Secret Service took action be- 
fore the officer was arrested and indicted? 

Answer. On November 6, 2015, the Maryland State Police (MSP) contacted the Se- 
cret Service to advise that they, in conjunction with the Delaware State Police 
(DSP), and ICE’s Homeland Security Investigations (HSI) were conducting an inves- 
tigation into potential criminal misconduct by a USSS employee. 

That day, representatives from the Office of Professional Responsibility contacted 
the DHS OlG and advised that the USSS employee was assigned to the White 
House Complex and the allegations against the employee posed significant National 
security concerns. DHS OIG requested that the USSS not take any administrative 
action against the USSS employee as law enforcement involved in this investigation 
was planning to execute a search warrant in less than 2 weeks. However, due to 
the criminal nature of the allegations and the sensitivity of the position held by the 
employee, the USSS made the decision to immediately suspend the employee’s secu- 
rity clearance and place him on administrative leave. 

Question 2. Director Clancy, it was recently reported that 2 USSS agents were 
observed during a routine systems check sleeping at their duty stations. This obser- 
vation was so concerning, the DHS inspector general issued a management alert, 
citing long overtime shifts, travel fatigue, and a lack of water as some of the causes. 
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What plans do you have in place to address overtime concerns, particularly in the 
Uniformed Division? 

Answer. The Uniformed Division continues to evaluate overtime usage across all 
Uniformed Division Branches with the goal of equitably minimizing extensive over- 
time shifts and preserving days off. Each Uniformed Division Branch manually 
tracks the overtime accumulation of each officer per pay period as a current man- 
agement practice. Every effort is made to staff critical vacant assignments with per- 
sonnel who volunteer to work overtime prior rather than forcing personnel to work 
overtime. 

The concept of consolidating all Uniformed Division scheduling offices to gain effi- 
ciencies and cross level overtime between Branches is currently under review. In ad- 
dition, specialty function Uniformed Division personnel are being temporarily reas- 
signed to fill critical assignments in an effort to reduce the amount of overtime 
hours as well as cancelled days off. 

Variable assignments, such as temporary magnetometer screening details, typi- 
cally result in short-notice protective travel and incur overtime for personnel to re- 
place or “backfill” Uniformed Division personnel on TDY status. The Uniformed Di- 
vision, as well as the Office of Protective Operations, are reviewing current planning 
practices in order to determine temporary magnetometer detail requirements as 
early as possible in the protective advance planning process in order to minimize 
overtime as a result of short-notice TDY travel. 

Question 3. The Protective Mission Panel suggested an increase of 200 Uniformed 
Division officers as well as 85 Protective Division officers. Has the Secret Service 
increased staffing since this recommendation and by how many? Will this increase 
in staffing help decrease the number of officers needed for long overtime shifts, par- 
ticularly in the Uniformed Division? 

Answer. As of December 7, 2015, 176 UD Officers have been hired in fiscal year 
2015 and fiscal year 2016. Tbe net gain from the influx of these 176 additional per- 
sonnel has been 28 additional officers assigned to the White House. This represents 
a staffing increase of 4.8% at the White House Branch. At this time, we anticipate 
hiring approximately 288 total officers in fiscal year 2016. 

Although Uniformed Division personnel assigned to the White House Branch has 
increased since the Protective Mission Panel report was issued on December 15, 
2014, the overall number of personnel assigned to the Uniformed Division has de- 
creased from 1,345 to the current number of 1,323, as of December 7, 2015. 

With respect to the Protective Mission Panel recommendation to increase the 
Presidential Protective Division by 85 special agents, this will be complete in the 
2nd quarter of fiscal year 2016. 

Question 4. The Protective Mission Panel recommended an establishment of a 
leadership-development system to identify and train the agency’s future managers 
and leaders. How do you identify the agency’s future managers and leaders given 
that several of the agency’s current managers and leaders have been investigated 
for misconduct? 

Answer. When there is an open position in the Senior Executive Service (SES) 
ranks, the Secret Service Executive Resources Board (ERB) reviews the list of em- 
ployees who have received SES certification from the Office of Personnel Manage- 
ment. 

If an SES-certified employee is identified as being a viable candidate to fill the 
vacancy, the ERB makes a recommendation to the director for his consideration. If 
no current SES-certified employee is identified as being a viable candidate to fill the 
vacancy, the ERB makes a recommendation to the director to announce the vacancy 
to external candidates. 

For non-SES supervisory positions, special agent career progression guidelines 
were established in September 2015, and a career track for non-law enforcement 
personnel is currently under development. 

Question 5. As outlined in the latest Federal Employee Viewpoint Survey, the De- 
partment of Homeland Security is still struggling in areas of morale and leadership. 
The Secret Service in particular has been plagued with retention issues. Please de- 
scribe what plan you have in place to address retention and ensure the Service is 
recruiting top, diverse talent? 

Answer. A retention incentive program has been implemented for the Uniformed 
Division. Under the plan, officers signed retention bonus agreements in the amount 
of 5% of their annual salary and began receiving that bonus, in part, every 90 days 
they remained on the job. To date, over 90% of the eligible Uniformed Division 
members have executed a service agreement and are participating in this program. 
In addition, a comprehensive review of recruitment and retention flexibilities avail- 
able within the Federal Government is currently being conducted. 
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The Talent and Employee Acquisition Management Division has developed and 
implemented a fiscal year 2016 Recruitment and Outreach Plan. The Plan outlines 
strategies that will guide the recruitment activities necessary to ensure the Secret 
Service recruits a highly qualified and diverse workforce that is representative of 
America. The plan includes traditional outreach, such as attending National and di- 
versity-focused career fairs, information sessions and career fairs at Historically 
Black Colleges and Universities, Hispanic-serving institutions, and Tribal colleges 
and universities, liaison with military Transition Assistance Program/Army Career 
Alumni Program (TAP/ACAP) events, and attending National diversity conferences. 
In addition, new opportunities in social media recruiting are being leveraged to at- 
tract today’s engaged candidates on Linkedln, YouTube, Twitter, and internet radio 
providers such as Pandora and iHeartRadio. The strength of these platforms is their 
ability to target potential applicants with the backgrounds and skill sets we seek. 

The Entry Level Assessment Center (ELAC) will continue to be used to process 
large groups of Special Agent and Uniformed Division Officer applicants through the 
hiring process. Typically during an ELAC, the applicant is administered 2 or more 
assessments of the hiring process in a reduced amount of time. During fiscal year 
2016, 6 UD ELACs have been conducted with more than 460 applicants being proc- 
essed to date. 

The Recruitment and Outreach Plan is a living document and will be updated and 
revised as necessary throughout the fiscal year to meet the agency’s goals in recruit- 
ment and hiring. 

Question 6. It has been often stated that it is very difficult to transition from the 
Uniformed Division to the President’s Protected Division. What percentage of agents 
in fact transfer from the Uniform Division to the Protected Division? What special 
programs are in place to support such a desire to transfer? 

Answer. Uniformed Division officers do not ever transfer directly to a special 
agent position in the Presidential Protective Division, a permanent protective detail. 
In fact, no one applying for a law enforcement position within the Secret Service 
is hired directly to a position with a permanent protective detail. There is a period 
during which the expertise, maturity, and judgment essential to the extremely crit- 
ical and demanding work of special agents protecting our Nation’s highest elected 
leaders is developed in field offices supporting protective operations and conducting 
counterfeit currency, financial, or cyber crime investigations as criminal investiga- 
tors. 

Uniformed Division officers do frequently go through the necessary process to be- 
come special agents. Those Uniformed Division officers who become special agents 
are required to go back to the Federal Law Enforcement Training Center (FLETC) 
in Glynco, Georgia for the Criminal Investigator Training Program course. After 
graduation from FLETC they return to the U.S. Secret Service James J. Rowley 
Training Center (JJRTC) to attend the Special Agent Training Course. Upon suc- 
cessful graduation from the JJRTC the new agent is then assigned to a field office 
for the first phase of their career. After their initial field office assignment the agent 
is then transferred to a permanent protective detail, like the Presidential Protective 
Division or Protective Intelligence Division. 

Question 7. In June of this year, it was reported that several dozen USSS Uniform 
Division Officers were placed on duty at the White House without completing the 
requisite security clearance process. In fact, over the last 5 years, approximately 643 
officers and agents have been assigned to positions without the requisite security 
clearance. Please provide the demographical information to include race and gender 
for each officer and agent assigned to duty without a security clearance over the last 
5 years. 

Answer. A report is being compiled and will follow. 

Question 8. Are agents and officers presently required to have a completed secu- 
rity clearance before being placed on duty? Please provide the number of agents and 
officers currently on duty without a security clearance, the specific post each agent 
or officer was assigned, the date of the assignment, and the length of time the agent 
or officer remained at this position without a clearance. 

Answer. There are no agents or officers currently on duty without a security clear- 
ance. Pursuant to Secret Service policy, SCD-02(01), DHS has authorized the Secret 
Service to hire employees “contingent upon completion of a full-scope background in- 
vestigation.” Employees may be hired under this contingency if the Secret Service 
has completed the majority of a Single Scope Background Investigation (SSBI) and 
no derogatory information was developed which could adversely impact the can- 
didate’s ability to hold a Top Secret security clearance during the course of the 
SSBI. Employees hired under this contingency status are required to sign an SSF 
4024, Conditional Access to Sensitive but Unclassified Information Non-Disclosure 
Agreement, prior to reporting for duty. 
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Question 9. In your testimony, you reference 14 contractors added to Secret Serv- 
ice staff to help adjudicate security clearances. What is the current average amount 
of time required by your staff to complete a security clearance since the addition 
of the contractors? 

Answer. In an effort to correct the record, it should be noted that the statement 
in the testimony does not accurately reflect the number of contractors added to Se- 
cret Service staff to help adjudicate security clearances. The Security Clearances Di- 
vision (SCD) is in the process of on-boarding 24 contractors to assist in the security 
clearance process. At this time, 11 are on board. The purpose of the contractors is 
to process the high volume of applicants to the agency to ensure adjudication before 
the personnel become operational while staying within the 114-day Office of the Di- 
rector of National Intelligence (ODNI) standard. 

Question 10. The Inspector General’s memorandum on the improper database ac- 
cess states that there was evidence of only 1 individual out of 18 executive-level 
managers who attempted to inform the Director or higher levels of the supervisory 
chain about the information or attempt to remediate the activity. Do you find it con- 
cerning that some of your senior leadership, which you personally appointed, did not 
see error in this behavior? 

Answer. The DHS OIG investigation found that 18 supervisors at the GS-15 or 
Senior Executive Service level may have known about improper database access but 
only one attempted to inform the director or higher levels of the supervisory chain 
about the information or attempt to remediate the activity. Additional investigation 
conducted by the Secret Service Inspection Division, with the authorization of the 
DHS OIG, included interviews of these supervisors which had not previously been 
conducted by the DHS OIG. This supplemental investigation revealed that other su- 
pervisors with knowledge of Secret Service employees improperly accessing data- 
bases or sharing protected information ordered their employees to immediately 
cease and desist accessing the database. Further, the vast majority of supervisors 
did not receive information that was attributable to a USSS data system, nor did 
they have any awareness that the rumor originated through potential misconduct. 

Regardless, as I stated in testimony before Congress, I am committed to ensuring 
that all employees are held to the highest standards of professional conduct, wheth- 
er on or off duty. I believe the behavior of the employees who violated existing Se- 
cret Service and DHS policies pertaining to the unauthorized access and disclosure 
of information protected by the Privacy Act of 1974 is unacceptable. I also believe 
that supervisors who failed to advise employees to cease and desist or attempt to 
inform higher levels of the supervisory chain after obtaining actionable information 
are also culpable. Those we protect and the public we serve expect us to live by our 
oaths and the values we have established as an agency, and we should demand 
nothing less from each other. We are better than the actions illustrated in this re- 
port and people, responsible supervisors and line employees alike, will be held ac- 
countable for their actions. 

Question 11. Director Clancy, according to your testimony, when you heard of 
Representative Chaffetz’s application for the Secret Service being discussed, you dis- 
missed it as a rumor. However, according to the OIG’s memorandum, you discussed 
this rumor at a luncheon with former directors of the Secret Service. Instead of in- 
vestigating, you spread the rumor. What does that say about the culture of profes- 
sionalism of the Secret Service? 

Answer. I would like to address my statements and the decision of the OIG to 
reopen the investigation on October 5, 2015. During the process of reviewing the 
draft, I was reminded by a colleague that I had been informed of a rumor regarding 
the individual’s application history on March 25. While I myself do not recall hear- 
ing of this rumor, several others have confirmed that I did, and that it was a gen- 
eral rumor about the individual’s past application; it did not relate to USSS employ- 
ees improperly accessing databases or sharing protected information. In order to en- 
sure accuracy within the report, on my own initiative I contacted the OIG to correct 
the record. I made this decision because I feel that it is important to be as forth- 
coming, accurate, and complete as possible. I expect this from my employees and 
expect nothing less from myself. 

The OIG published an addendum in October reporting its assessment of the up- 
dated information pertaining to when I was made aware of this rumor. Interviews 
with former directors, my deputy director, and my former chief of staff only serve 
to corroborate that the information available to me at the time was nothing more 
than a rumor. The information was not attributed to a Secret Service data system 
or indicative of any action — inappropriate or otherwise — by any Secret Service em- 
ployee. Nothing in the addendum contradicts what I have maintained from the be- 
ginning — that at no time prior to April 2 was I aware that this rumor originated 
in information obtained through potential misconduct. When I did learn of it, I took 
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immediate action, contacting the OIG and sending an official message to the work- 
force on the handling of sensitive information. 

Question 12. According to the Inspector General’s memorandum, the personal file 
from the data leak was stored on the Secret Service Master Central Index or MCI 
system. MCI is described as a “1980s vintage, electronic database and system of 
records.” The National Security Agency conducted an analysis of the Secret Service 
data system in 2010. NSA concluded that the system was dated and fully oper- 
ational only 60 percent of the time. Why was the system not updated or removed 
until July of this year, only after this particular data leak? 

Answer. The MCI upgrade was part of the Secret Service’s broader effort to mod- 
ernize its IT systems. This effort, known as the Information Integration and Tech- 
nology Transformation (“IITT”) program, was established in fiscal year 2010. In rec- 
ognition of the limitations of MCI and other mainframe applications, the Secret 
Service initiated the Mainframe Application Refactoring (“MAR”) project in 2011 to 
assess the existing 48 applications residing on the mainframe and migrate nec- 
essary capabilities and accompanying data to a non-mainframe, secure, highly-avail- 
able and compartmentalized environment. DHS estimated the project would take 10 
years to complete. The Secret Service accelerated the MAR project in 2013 and was 
able to achieve project closure on June 24, 2015. 

Question 13. What plans do you have in place regarding the MCI and other out- 
dated systems within the Secret Service? What parameters are available to ensure 
such a gross mismanagement of access and authority does not occur again? 

Answer. On March 24, 2015, there were technological security deficiencies within 
the Secret Service’s primary internal database that contributed to the unauthorized 
access of information. These internal vulnerabilities have been addressed and the 
potential for similar misconduct in the future mitigated. The MCI was a mainframe 
application developed in 1984 that served as a central searching application and 
case management system. More specifically, MCI contained records from protective, 
investigative, and human capital divisions and served as a single access point for 
investigators and administrators. A significant deficiency of this arrangement was 
that an MCI user had access to all of the data in MCI regardless of whether it was 
necessary for that user’s job function. 

The Secret Service’s Information Integration and Technology Transformation 
(“IITT”) program was established in fiscal year 2010. In recognition of the limita- 
tions of MCI and other mainframe applications, the Secret Service initiated the 
Mainframe Application Refactoring (“MAR”) project in 2011 to assess the existing 
48 applications residing on the mainframe and migrate necessary capabilities and 
accompanying data to a non-mainframe, secure, highly available and compartmen- 
talized environment. DHS estimated the project would take 10 years to complete. 
The Secret Service accelerated the MAR project in 2013 and was able to achieve 
project closure on June 24, 2015. At that time, all employee mainframe access was 
revoked. The new systems are completely operational, and all legacy data has been 
migrated to new platforms where data is locked down and access to data is depend- 
ent upon job function. Protective, investigative, and human capital records reside in 
different systems, and internal controls have now been implemented to restrict ac- 
cess to those systems in two ways. Now access is: (1) Limited to the respective direc- 
torates responsible for the information; and/or (2) based on the role of the system 
user within the organization. Shutdown of MCI began at the end of July, and it was 
fully powered down on August 12, 2015. Disassembly of the mainframe began in Au- 
gust 2015, and it was physically removed from the data center on September 16, 
2015. 

Question 14. In the past, you have placed agents and officers on administrative 
leave, suspended security clearances, and provided limitations on technology when 
agents are under investigation. Please explain your decision to not take immediate 
disciplinary action on the senior-level management and the other personnel who 
were identified as improperly accessing the MCI database. 

Answer. Disciplinary action is taken only after investigation into the facts and cir- 
cumstances is complete. In conjunction with this incident, the DHS OIG completed 
its investigation in later September and provided the supporting documentation in 
early October. In this instance, the agency did not have all of the information nec- 
essary from the OIG to contemplate disciplinary action until October 7, 2015. Even 
after receiving the information, in some cases, it was determined further investiga- 
tion by our Office of Professional Responsibility was required. 

Question 15. In your testimony, you state that the likely maximum disciplinary 
action each employee involved in the data breach will face is 12 days suspension. 
Does the table of penalties address violations of conduct that are also violations of 
law? Was there a discussion within the Office of Integrity and/or the Department 
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of Homeland Security to revoke each individual’s security clearance? If not, please 
explain why. 

Answer. The Table of Penalties does contain penalties that are applicable for vio- 
lations of law. The revocation of security clearances is handled by the Security 
Clearance Division rather than the Office of Integrity. Accordingly, there were no 
discussions within the Office of Integrity or between the Office of Integrity and the 
Department of Homeland Security regarding the revocation of security clearances. 

Question 16. The improper database access issue seems to be an issue with integ- 
rity, which means doing the right thing, even when no one is looking. Please de- 
scribe what trainings and communications are provided to Service employees pro- 
moting integrity. Please also describe how senior management promotes integrity to 
the workforce. 

Answer. All senior executives, most Headquarters-based managers and super- 
visors, and all field office and protective division special agents in charge (SAICs) 
are required to receive ethics training every year. Training includes the use of non- 
public information. 

LEG provides in-person training to all Washington, DC-based employees required 
to receive it (except when exigent circumstances warrant written training). SAICs 
outside the Washington, DC, area are required to participate in the Headquarters 
training sessions by video — or teleconference. LEG also visits the field offices and 
protective divisions in one domestic region each year to personally train the SAICs 
and all available supervisors. SAICs are encouraged to invite other available em- 
ployees. 

With respect to ethics training, in calendar year 2014, the Office of Chief Counsel 
(LEG) provided ethics training to 100% of those employees required to receive it. 
In calendar year 2015, LEG targeted a goal of 100% compliance and provided in- 
person training to a total of 587 employees. LEG reports the results of its training 
efforts annually to the Office of Government Ethics. 

LEG oversees the publication and issuance of “Standards of Ethical, Professional, 
and Personal Conduct: A Desk Reference for United States Secret Service Employ- 
ees.” The desk reference is a comprehensive summary of the statutes, regulations, 
and policies that govern employee conduct. When the desk reference was first pub- 
lished in 2013, every employee was issued a printed, bound copy of the book. Subse- 
quently, at the initial ethics briefing of the biweekly new employee orientation, LEG 
has provided new employees with a printout of the guide and referred them to the 
electronic version available on the Secret Service Intranet. 

Additionally, during the winter of 2012-2013, an instructor-led course was devel- 
oped entitled “Standards of Conduct (Ethics).” In 2013, this course was incorporated 
into many new recruit and in-service courses as depicted in the table below: 

Basic Courses 

• The basic course instructional blocks were entitled Ethical Decision Making & 

Standards of Conduct 

• Special Agent Training Course. — 2.5 hours 

• Uniformed Division Training Course. — 2.5 hours 

• Mixed Basic Training Course. — 3 hours 

• Protective Detail Training Course. — 3 hours 

• Counter Assault Team Basic School. — 2 hours 

• Counter Assault Team Cycle Training. — 2 hours 

In-Service Courses 

• The in-service course instructional blocks were entitled Standards of Conduct 

• 4th Shift Training. — 2 hours 

• Firearms Instructor Training Course. — 2 hours 

• Seminar for First-Line Supervisors. — 45 minutes 

• SA Reintegration Course. — 1.5 hours 

• UD In-Service Training Course. — 1 hour 

In addition to instructor-led training, there are also mandatory on-line ethics 
courses available to all employees through the Learning Management System 
(LMS). In April 2012, it became mandatory that all employees traveling overseas 
to take the on-line course entitled “Making Decisions Ethically.” In March 2015, this 
course was replaced with the on-line ethics course entitled “Decision Making Ele- 
ments,” which became a mandatory, annual requirement for all USSS employees. 

Question 1 7. The Secret Service has now replaced the MCI system and 95% of em- 
ployees who once had access to the particular database in question no longer have 
access. Of the employees who will continue to have access, how many were impli- 
cated in this data breach? Please explain your decision to allow these individuals 
to continue to have access to sensitive information. 
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Answer. As discussed in the response to question 13, the MCI system was fully 
shut down in August of 2015. All legacy data was migrated to new platforms where 
data is locked down and access to data is dependent upon job function. None of the 
individuals identified in the DHS OIG investigation into the improper access and 
distribution of information contained within a Secret Service database now have ac- 
cess to applicant data information. 

Questions From Chairman Ron Johnson for Joseph P. Clancy 

Question 1. Inappropriate use of information systems is likely a security violation. 
What is the status of any on-going security clearance investigations and adjudica- 
tions? 

Answer. For the employees who were identified by the Department of Homeland 
Security (DHS) Office of Inspector General (OIG) as being involved in accessing a 
record containing personally identifiable information (PII) in the internal database, 
security clearance warning letters are being issued for inappropriate use of informa- 
tion systems. 

Question 2. What is the reasoning for the Secret Service maintaining records of 
unsuccessful applications for an extended period of time that contain sensitive PII? 

Does the Secret Service currently maintain similar records of unsuccessful appli- 
cations that are not deemed relevant? 

Answer. At the time of the events in question, the Secret Service was still gov- 
erned by records retention schedules requiring this type of information be retained 
for 20 years. Due to the fact that these schedules were vetted, approved, and signed 
by the National Archives and Records Administration (NARA), adherence to these 
schedules was a matter of legal compliance. New NARA-approved retention sched- 
ules have now replaced the legacy schedules, and information relating to applicants 
who are not hired is held only for 2 years, unless a formal background investigation 
is conducted. If a formal background investigation is conducted, the case file is held 
for 5 years. 

Question 3. Please describe the process to verify that Secret Service employees 
have reviewed the Secret Service Ethics Guide on an annual basis. 

Answer. This guide was distributed electronically and in hard copy in 2013 in re- 
sponse to one of the Professionalism Reinforcement Working Group (PRWG) rec- 
ommendations, which reads as follows: 

“PRWG Recommendation. — Reinforcement of Ethical Behaviors: The USSS notifies 
its workforce regarding policy changes on discipline, including expectations on eth- 
ical behavior and conduct through issuance of policy directives. However, the USSS 
should use multiple approaches to reinforce the importance of ethical behavior and 
conduct at all times. For example, the USSS should consider issuing all current em- 
ployees and all new employees a user-friendly, easy-to-read manual highlighting the 
organization’s core values, compliance principles, standards of conduct, and the ex- 
pectation that employees adhere to standards of ethical conduct.” 

The ethics guide provides a comprehensive summary of relevant statutes, regula- 
tions, and policies. Many of the rules in the ethics guide are contained in Secret 
Service manual sections to which employees certify on an annual basis via SSF 
3218. 


Questions From Chairman James Lankford for Joseph P. Clancy 

Question la. During your testimony you were asked if the Secret Service main- 
tains paper files with personally identifiable information (PII) in addition to the PII 
stored on electronic databases. 

Does the Secret Service still maintain paper files in any of its offices containing 
personally identifiable information (PII)? 

Answer. Yes. 

Question lb. If so, who has access to such files and how are those files stored? 

Answer. Access to records containing such information is generally controlled by 
the access procedures set out under the Privacy Act of 1974, title 5 of the United 
States Code, section 552a (Privacy Act). System of Record Notices (SORNs) required 
under the Privacy Act which implicate record systems maintained by the Secret 
Service are published by the Department of Homeland Security (DHS), the Office 
of Personnel Management, and the Equal Employment Opportunity Commission. 
The SORN sets forth the routine uses for access to each system as well as the stor- 
age requirements for each system. Copies of Secret Service SORNs as most recently 
published by DHS are attached. 
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Question lc. If so, what security controls does the Secret Service have in place 
to prevent, detect, and respond to the unauthorized access of any paper files con- 
taining PII in any of its offices? 

Answer. Most types of PII records have specific additional regulatory storage, 
handling, and reporting protocols (e.g., storing in a locked room with access controls/ 
logs). Information put into inactive storage includes a specific notation on National 
Archives form SF 135 that the files must be protected under the Privacy Act. 

Question 2. In the context of Secret Service employee removal authority, you testi- 
fied that you would like greater ability to dismiss employees that violate agency pol- 
icy and the law. 

What additional removal authority would assist you in changing the current cul- 
ture and ensure that agency policy and the law is respected? 

Answer. While we believe that current law allows for a reasonable process and 
means to remove employees from Federal employment in misconduct cases, the pace 
of that removal action is often slow and does not always foster a culture of account- 
ability. For instance, when a case has been referred to, and accepted by, the OIG 
for investigation, the Secret Service can be delayed in taking action to address in- 
stances of employee misconduct, including criminal misconduct. In these instances 
the Secret Service must wait for the OIG to fully complete their investigation and 
issue a report which may lack the underlying evidence, sworn statements, and 
sometimes be in a redacted format. We believe that, if OIG were to provide the Se- 
cret Service with real-time information concerning evidence developed during an 
OIG investigation, we would, in some cases, be able to take expeditious disciplinary 
action against employees. For instance, if the OIG provided the Secret Service with 
a sworn statement in which the employee admits to the misconduct, the Secret 
Service could propose disciplinary action in advance of a receiving a finalized, for- 
mal report. In this regard, we will engage with OIG to explore this possible change 
to existing procedure and any other changes that may lead to a greater culture of 
accountability in the Service workforce. 

Question 3. Concerning the topic of agency whistleblowers, you stated “everyone 
in the Service knows that whistleblowers perform a vital function” and “there’s no 
retaliation” against them. 

Can you explain the steps the Service is currently taking to ensure that all whis- 
tleblowers are properly protected and shielded from retaliation? 

Answer. The Secret Service recognizes its obligation to protect the rights afforded 
to employees in making protected disclosures, including disclosures made to Con- 
gress, and values the benefits derived from the resulting oversight. 

The Secret Service is committed to creating open lines of communication within 
the agency to ensure concerns raised at any level receive the attention they deserve, 
and to ensure that employees who bring concerns to light are praised for doing so, 
rather than retaliated against. 

Biennial training on certain Federal anti-discrimination and “whistleblower” pro- 
tections is required by the No FEAR Act for all Department of Homeland Security 
(DHS) employees. This No FEAR Act course was developed by the DHS Office for 
Civil Rights and Civil Liberties’ (CRCL) Equal Employment Opportunity and Diver- 
sity Division and its CRCL Institute based on an anti-harassment training course 
created by the Central Intelligence Agency’s Office for Equal Employment Oppor- 
tunity Office. 

Further, an agency-wide message was issued on October 30, 2015, regarding 
“Whistleblower Protection Awareness” which referenced policy manual sections re- 
lated to disclosures to Congress and included a link to “information to help employ- 
ees easily determine what they should report, how to report suspected issues, what 
training DHS offers, [and] what legal protections are available . . . 

Additionally, Secret Service Manual guidelines requiring employees to report mis- 
conduct or retaliation were reiterated to all employees in an official message to the 
workforce on March 23, 2015. It is important that employees recognize the agency’s 
position on this issue, and Director Clancy will continue to emphasize it to the 
workforce. The Secret Service fully respects and supports the rights of whistle- 
blowers, and retaliation of any kind is not and will not be tolerated. These rights 
and protections are clearly stated in the Secret Service Ethics Guide, the Table of 
Penalties, and within the Secret Service Manual. 

Question 4a. Your testimony outlined that recent Secret Service policy now re- 
quires the purging of applicant files every 2 years to improve internal protections 
of personally identifiable information (PII) housed on its databases. 

When did this policy change? 

Answer. This policy changed on October 1, 2015. Please note, at the time of the 
events in question, the Secret Service was still governed by records retention sched- 
ules requiring this type of information be retained for 20 years. Due to the fact that 
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these schedules were vetted, approved, and signed by NARA, adherence to these 
schedules was a matter of legal compliance. New NARA-approved retention sched- 
ules have now replaced the legacy schedules, and information relating to applicants 
who are not hired is held only for 2 years, unless a formal background investigation 
is conducted. If a formal background investigation is conducted, the case file is held 
for 5 years. 

Question 4b. What additional policies and training does the Secret Service have 
in place to ensure PII housed on its databases is not improperly accessed? 

Answer. A Secret Service Information Resources Management (IRM) directive en- 
titled “IRM Privacy Act Review” includes policy for reviewing new IT systems or 
changes to existing IT systems to determine Privacy Act impact. Related Secret 
Service and Department of Homeland Security (DHS) directives help ensure aware- 
ness of and compliance with PII regulations, through mechanisms such as the Pri- 
vacy Threshold Analysis/Privacy Impact Analysis processes. 

Existing policies and training include longstanding guidance regarding the proper 
access to databases and handling of Privacy Act protected information, which is 
clearly stated in the Secret Service Ethics Guide, in the Table of Penalties, and 
within the Secret Service Manual sections related to rules of behavior with respect 
to the use of information technology. Employees are required to certify annually 
that they have reviewed these manual sections. 

Additionally, the Secret Service provides a 1-hour briefing to Special Agent and 
Uniformed Division Training Classes that includes material on the Privacy Act. A 
senior Government Information Specialist from the Freedom of Information Act and 
Privacy Act Branch of the Office of Government and Public Affairs teaches the class 
and focuses, in part, on PII. 

A 1-hour in-service on-line training titled “IT Security Awareness” is required as 
part of the agency’s Federal Information Security Management Act (“FISMA”) obli- 
gations. The course outlines the role of Federal employees in the protection of infor- 
mation and in ensuring the secure operation of Federal information systems. 

The Privacy Act is also discussed during in-service ethics classes administered to 
the field by Secret Service Office of Chief Counsel instructors. 

Further, DHS requires Secret Service employees to complete annual in-service on- 
line training titled, “Privacy at DHS: Protecting Personal Information.” This train- 
ing was incorporated into the required curriculum in 2012 and covers proper han- 
dling of PII. 

Finally, in August, the agency began including a dedicated block of instruction for 
the new Special Agent Training Classes regarding the Release of Information. The 
class provides an overview of the Privacy Act and the Freedom of Information Act, 
reviews employees’ responsibilities under those Acts and the consequences for fail- 
ing to fulfill them, and more generally, discusses the proper release and use of infor- 
mation employees have access to. A similar block of instruction for the Uniformed 
Division Training Classes was added in November. Further, additional training is 
provided to new hires at Secret Service New Employee Orientation. 

Question 4c. Has the Secret Service implemented any additional policies and 
training in response to recent improper and illegal accesses? 

Answer. In light of the DHS OIG report of September 25, 2015, and subsequent 
addendum of October 22, 2015, specific guidelines have been established and are ef- 
fective for processing disciplinary and adverse actions resulting from the misuse of 
Secret Service database systems and/or the unauthorized disclosure of sensitive in- 
formation. Additionally, and as stated above, in August, the agency began including 
a dedicated block of instruction for the new Special Agent Training Classes regard- 
ing the Release of Information. The class provides an overview of the Privacy Act 
and the Freedom of Information Act, reviews employees’ responsibilities under those 
Acts and the consequences for failing to fulfill them, and more generally, discusses 
the proper release and use of information employees have access to. A similar block 
of instruction for the Uniformed Division Training Classes was added in November. 
Further, additional training is provided to new hires at Secret Service New Em- 
ployee Orientation. 

Questions From Chairman Scott Perry for John Roth 

Question la. After you issued the management alert on the Chaffetz PII incident, 
Director Clancy contacted your office in order to revise his recollection of events. 
This in turn caused you to reopen the investigation and issue an addendum to the 
original report. 

Has this ever occurred in any of your other reviews? 

Answer. No. 
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Question lb. Based on the conclusions in your addendum, would you be com- 
fortable updating the original conclusion in your report that indicated Director 
Clancy was not aware of the improper PII access until April 1? If so, when would 
you say Director Clancy became aware of the incident? 

Answer. The addendum serves as an update to the original report, and concludes 
that on March 25, Director Clancy learned from at least 3 separate sources that 
Chairman Chaffetz may have applied to the Secret Service. We are unable to con- 
clude, because Director Clancy has no memory of it, the degree to which he under- 
stood how widely the information was being disseminated through the Secret Serv- 
ice, or whether he understood that the discussion was being fueled and confirmed 
by dozens of agents improperly accessing Secret Service data systems. 

Question lc. Do you have concerns that Director Clancy provided a false state- 
ment to your investigators when originally interviewed? 

Answer. The earlier statement was inaccurate in that he originally stated that he 
was “fairly certain” that he first learned of it on April 1, the day before the media 
reports. We do not have any evidence as to his state of mind at the time he made 
the statement. 

Question 2a. On the OIG website, you list management alerts, which are designed 
to “inform senior DHS managers of conditions which pose an immediate and serious 
threat of waste, fraud, and abuse in agency programs.” Since July 2014, of the 5 
of the 15 management alerts have involved the Secret Service. This is concerning 
given that the Service is significantly smaller than other DHS components. 

How do the USSS misconduct statistics compare to other agencies within the De- 
partment? 

Question 2b. In your opinion, and experience, do the Secret Service misconduct 
statistics compare to other agencies of comparable size across the Federal Govern- 
ment? Is it average, above average, below average? 

Answer. We have not done a statistical comparison of misconduct allegations and 
cases between Secret Service and other DHS components or other agencies in the 
Federal Government. Certainly the allegations involving the Secret Service that 
have come to light since the 2012 events in Cartagena, Colombia are of grave con- 
cern and our reviews over the past several years point to on-going organizational 
and management challenges. During the current fiscal year, we will continue our 
oversight of the Secret Service, including a review of its implementation of the rec- 
ommendations of the Protective Mission Panel. In addition, we intend to evaluate 
the strength of the Department’s disciplinary processes. We will focus this review 
on the depth and breadth of employees’ perceptions and attitudes about misconduct 
and the application of discipline, DHS’s established rules of conduct, and the appli- 
cation of discipline across the Department. 

Questions From Ranking Member Bennie G. Thompson for John Roth 

Question 1. Since the Protective Mission Panel, you have had to be involved in 
investigating the Secret Service for personnel misconduct. You have also issued two 
management advisories for the agency in 2015. Based on your investigations of the 
Secret Service, what is the agency lacking? What does it need to change? 

Answer. The Secret Service needs to understand the requirements for building an 
ethical culture within their organization, which consists of three elements: (1) Lead- 
ers (not just the top leader, but all through the organization) who create a “tone 
at the top” and demonstrate their commitment to an ethical culture by both words 
and deed; (2) a commitment to both the words and the spirit of a meaningful code 
of conduct; and (3) creating a system of accountability for all of those in the organi- 
zation — leaders and the rank and file — who deviate from that. 

I believe that the Secret Service needs improvement in all three areas. That the 
leadership has not created the appropriate tone is apparent from the significant 
number of senior leaders and managers who did nothing once they found out about 
the conduct. We also had the deputy director of the Secret Service who failed to pro- 
vide information during his initial interview. This sends the message to the rank 
and file that such behavior, notwithstanding a written code of conduct, is acceptable. 
While we are satisfied that the Secret Service has taken steps since the Cartagena 
incident to establish a more uniform discipline system, I believe that more could be 
done to ensure that deviations from the code of conduct are addressed. 

Additionally, for an organization to change — and I believe that the Secret Service 
is in great need of change — the individuals within the organization must understand 
that there is a need for change, and individuals must be empowered to create that 
change. I do not see within the upper levels of the organization such an under- 
standing. Typically, in those circumstances change does not occur until there is a 
disruptive external event that forces the organization to change. 
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Question 2. Your office issues management alerts to senior leadership of DHS 
when your office finds conditions that pose a serious concern. You have issued man- 
agement advisories for the Secret Service in April 2015 and in October 2015. Your 
October 2015 management advisory actually warns that protectees could be in im- 
mediate danger if changes are not made. Looking at the Secret Service overall, what 
does it say about the agency to have two management advisories issued in such a 
short period of time? 

Answer. Both management alerts were ultimately caused by Secret Service’s in- 
ability to execute basic management functions in support of its mission. The April 
2015 alert was the result of not replacing an alarm system at a Presidential resi- 
dence that had been installed in 1993. We found that the Secret Service did not 
have a formal system to report and track security technical problems, maintenance 
and repair needs, and upgrades. Likewise, we found that the staffing shortages that 
we believe led to the officer fatigue issues were caused by the lack of a staffing and 
hiring plan that first would understand the number of personnel needed to staff the 
White House Complex without a reliance on excessive overtime, and second, would 
ensure the necessary administrative infrastructure to be able to efficiently hire to 
the proper level. 

Question 3. In October, you released a management alert after 2 agents were ob- 
served asleep on the job. You cited long overtime hours and fatigue as a reason for 
your concern. The Secret Service publicly stated it does not agree with your find- 
ings. Please describe how you reached your conclusion and what caused your obser- 
vations to rise to the level of an alert. 

Answer. The management alert occurred after we observed agents asleep during 
2 different site visits, at different locations, weeks apart, on July 15 and August 11. 
As auditors are trained to do, we looked to see if there may be a root cause for this. 
We found that the overtime for 1 officer for the previous 8 weeks amounted to 157 
hours — an average of being required to work 60 hours per week for 8 straight 
weeks. The second officer’s overtime totaled 73 hours for the previous 6 weeks, for 
an average of 52 hours per week. 

We also found that overtime among the Uniform Division has substantially in- 
creased in the last few years. In fiscal year 2013, it averaged 362 hours per position; 
in fiscal year 2015, it averaged 597.4 hours per position — a 39% increase in 3 years. 
We also found that the problem was getting worse, not better. The overtime was 
necessary because of a lack of officers; yet, in fiscal year 2015 the Uniform Division 
lost 162 officers through attrition, but managed to hire only 152 — a net loss of 10 
officers. Finally, we found that until recently the Secret Service had not engaged 
in a staffing plan or model to understand the staffing level it would need to ensure 
that it did not rely on excessive overtime to accomplish its mission. 

Question 4. Does the Management Alert issued by your office indicate any connec- 
tion between these incidents and either absent or ineffective Secret Service policies 
to ensure sustainable staffing practices and work-life balance? 

Answer. Yes. As I indicated in the answer to the last question, the Uniform Divi- 
sion officers are being asked to take on an unsustainable burden. What concerned 
us is the lack of effective response from the Secret Service leadership. The Protec- 
tive Mission Panel alerted the Department to this a year ago, and yet, as evidenced 
by the failure to hire even to the current level of attrition, the Secret Service has 
not responded in a manner that recognizes the severity of the problem. Hence, the 
management alert. 

Question 5. Improving morale at DHS is of particular priority to this committee 
and myself. You state in the management alert that USSS reported that “it recog- 
nizes that employee morale suffers when decreased staffing levels result in in- 
creased overtime and travel requirements, and decreased opportunities for training.” 
In your time investigating the Secret Service, have you observed times where mo- 
rale is in fact impacted? What factors would you say contribute to low morale in 
the Service? 

Answer. There is significantly low morale within the Secret Service. As noted in 
the most recent results of the Federal Employee Viewpoint Survey, the Secret Serv- 
ice is second to last. We believe that the inability to address the fundamental man- 
agement issues, including outdated technology and insufficient staffing, is a signifi- 
cant driver of poor morale. 

Question 6. Based on your investigation, were personnel within the Service suffi- 
ciently informed of the proper use of USSS computer systems and the care needed 
for sensitive information, whether via training, manuals, oral communications, etc.? 

Answer. Yes. Secret Service policies include information Technology Rules of Gen- 
eral Behavior that cover employees’ use of all Secret Service IT systems. The policy 
requires employees to safeguard Sensitive, Classified, and privacy-related informa- 
tion against unauthorized disclosure to the public. It further requires that all Secret 
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Service personnel acknowledge review and understanding of the provisions enumer- 
ated in that policy upon entering on duty with the Secret Service and annually 
thereafter. In addition, the Secret Service’s Table of Penalties includes penalties for 
unauthorized use of a Government computer and disclosure of information in viola- 
tion of the Privacy Act. 

Also applicable to the Secret Service are DHS-wide policies contained in the DHS 
Handbook for Safeguarding Sensitive Personally Identifiable Information, which also 
prohibits all employees from browsing files containing Sensitive PII out of curiosity 
or for personal reasons. 

In addition to these policies, the log-on screen for the MCI database contained 
specific warnings that the system could be used for authorized Government business 
only. 

Question 7. You state in your memorandum that although agents were trained on 
use of the system and received yearly refresher trainings, it was apparent that 
many of the agents disregarded that training. What did you observe in your inves- 
tigation that led you to this conclusion? 

Answer. In response to interview questions by OIG agents, many of the Secret 
Service employees who authorized Chairman Chaffetz’ MCI record without author- 
ization insisted that their actions were appropriate. Some acknowledged ignoring 
the warning banner on the MCI logon screen. Others thought that accessing the 
database, even without a legitimate business purpose, was okay because it was “our 
database.” 

Question 8. Your office only reviewed the MCI system for those individuals who 
accessed Congressman Chaffetz’ personal file. Therefore, it is possible that other in- 
dividuals were also searched in the database. Based on your review of the system 
and interviews with Service employees, do you believe employees frequently utilized 
the MCI system improperly, in particular to research individuals? If so, how fre- 
quently do you believe this occurs? 

Answer. Based on our interviews, it appeared that there was a casual attitude 
about the rules regarding the use of the system. This was obvious in the number 
of individuals who conducted improper searches of Chairman Chaffetz’ name. We 
found no reason that this did not occur before for other individuals. 

Question 9. Based on your experience in accountability and law enforcement 
across the Federal Government, do you have any concerns about these employees’ 
status while under adjudication? As DHS Inspector General, would you advise De- 
partment and Secret Service leadership to change policies related to employees sub- 
ject to disciplinary review in any way? 

Answer. The use of paid administrative leave for DHS employees facing mis- 
conduct investigations and adjudications is a matter currently being reviewed by the 
Government Accountability Office and we look forward to reviewing the analysis 
and recommendations contained in its upcoming report. 

We should note that as a general matter, Federal law allows agencies to suspend 
an employee indefinitely without pay if there is reasonable cause to believe that a 
crime has been committed for which a term of imprisonment may be imposed. Laws 
and policies regarding employees subject to disciplinary review should ultimately be 
balanced against critical due process safeguards to ensure fairness and consistency 
to the Federal workforce. 

Questions From Chairman James Lankford for John Roth 

Question la. During your testimony you indicated that the MCI database was un- 
able to audit accesses without a specific program written for each search term. 

Since the migration to an updated database system, what audit capability and 
checks (automatic or manual) are now in place? 

Answer. We are currently conducting a technical security assessment of the Secret 
Service’s updated database systems that when complete, will answer this question. 
Specifically, our Office of Information Technology Audits is reviewing the informa- 
tion systems the Secret Service currently uses to store and retrieve data and infor- 
mation previously stored in the MCI database. Our assessment is designed: (1) To 
verify that the MCI is in fact no longer in use, (2) identify which systems currently 
house MCI data, (3) determine the level of physical and system controls imple- 
mented to secure the data from further instances of unauthorized access, and (4) 
identify gaps in the security posture. We plan to issue our final report in February 
2016, and I look forward to discussing our conclusions with you and your staff at 
that time. 

Question lb. Based on your investigation, would a regularly occurring, agency- 
wide OIG audit of PII searches help change Secret Service culture regarding the 
protection of PII? 
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Answer. We believe that the best way to prevent future activity of the type we 
saw here would be for Secret Service to focus to a greater degree on its information 
security program. Modern data systems with appropriate audit and access controls, 
when coupled with appropriate agency processes, policies, and procedures, would 
prevent unauthorized access to information. Every year, we audit, pursuant to the 
Federal Information Security Act (FISMA), DHS’ information systems. FISMA re- 
quires IGs to perform evaluations of Departmental implementation of the 11 pro- 
gram-level security authorization activities. DHS OIG performs tests to determine 
how the Department’s components are implementing these activities. 

From fiscal year 2013 to the present, Secret Service has done poorly on these 
FISMA reviews compared with other DHS components. For example, as of Sep- 
tember 2015, USSS failed to meet the Department’s “security authorizations” target 
of 100% for “high value assets” and 95% for “all other FISMA systems” as USSS 
only scored 75% and 58% respectively. In addition, USSS only scored 38% in “weak- 
ness remediation,” where the Department’s target was 90%. 

We believe that focusing on modernizing and securing Secret Service data sys- 
tems, in combination with training and other efforts to create an ethical culture 
(such as a uniformly administered system for dealing with deviations from a defined 
standard of conduct) are the best way to change the culture with regard to the use 
of PII. 

Question lc. Based on your investigation, what recommendations would you make 
to change Secret Service culture regarding PII? 

Answer. As noted in the above question, the systems that the Secret Service uses 
to store PII must have audit and access controls that help ensure the security and 
confidentially of Privacy Act-protected records. Training about PII and its appro- 
priate handling and safeguarding should be reinforced and reemphasized. Ulti- 
mately, change will come when management does not tolerate the deliberate or 
grossly negligent mishandling of PII and employees who violate Department and Se- 
cret Service policies and/or the Privacy Act face disciplinary consequences for their 
actions. 

Question 2a. Your testimony reflects that agents seemed to consider personal data 
on Secret Service databases as theirs to access as they pleased. 

What training policy updates have been or should be made to correct this mindset 
reflected in your investigation? 

Answer. Our investigation did not determine what changes, if any, Secret Service 
has made to their training policies as a result of this incident. Our next FISMA 
audit will determine the overall level of training Secret Service personnel receive. 

Question 3a. The September 2015 Department of Homeland Security (DHS) Office 
of the Inspector General (OIG) report titled “Investigation into the Improper Access 
and Distribution of Information Contained Within a Secret Service Data System” 
did not audit the 45 Secret Service employees for unauthorized access of personally 
identifiable information on the agency’s databases prior to the Congressman 
Chaffetz matter starting on March 25, 2015. 

Should DHS OIG conduct additional audits of these 45 Secret Service employees 
for unauthorized accesses prior to this date? 

Answer. We share the concern that it is possible that these specific employees 
mishandled or accessed files without authorization prior to this specific investiga- 
tion — whether related to Chairman Chaffetz or others. Due to the technical limita- 
tions of the MCI database, it would be nearly impossible for us to conduct additional 
audits of these 45 employees. Moreover, according to the Secret Service, the MCI 
mainframe has been disassembled as of September 2015 so it is unclear whether 
additional audits can be performed on the system. 

Question From Chairman Ron Johnson for John Roth 

Question. The DHS OIG concluded that 4 of the 45 Secret Service employees that 
accessed the PII information of Congressman Chaffetz were authorized to do so. 
What was the criterion for determining if the Secret Service employee that accessed 
the information of Congressman Chaffetz in the MCI database was authorized or 
unauthorized? 

Answer. To determine whether Secret Service employees were authorized or unau- 
thorized to access Chairman Chaffetz’ information in the MCI database, we ana- 
lyzed whether they had an official purpose to access the record. Officials who exam- 
ined the record in connection with the performance of assigned duties and who had 
to access the record in order to perform those assigned duties properly were consid- 
ered authorized. 

For example, employees at a specific field office received a press inquiry as to 
whether Chairman Chaffetz had applied to that office. While the office appropriately 
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declined to comment to the press, as part of their due diligence, they accessed the 
system to determine whether it was true. Likewise, one employee in headquarters 
was directed by his superior to do so, as part of deciding what management steps 
to take. 

However, a number of supervisors accessed the information, purportedly to deter- 
mine whether the talk about Chairman Chaffetz was true. Accessing the record in 
that circumstance was inappropriate and not in connection with an official purpose 
because the truth or falsity of the information was irrelevant to directing their sub- 
ordinates to use Secret Service data systems only for official Government purposes, 
and not to satisfy personal curiosity. This was especially the case since, with a few 
narrow exceptions, these supervisors did nothing with this information, such as re- 
porting it up the chain to their superiors. 

Question From Chairman Scott Perry for Joel C. Willemssen 

Question. Based on your expertise and what you have heard today, how can agen- 
cies, and specifically DHS and the Secret Service, ensure they have the proper inter- 
nal security controls so that only the right employees, with a need to know, can ac- 
cess sensitive information such as PII? 

Answer. Agencies first need to establish and communicate policies for collecting, 
storing, accessing, using, and retaining personally identifiable information (PII) 1 
and other sensitive information. The policies should state when it is appropriate to 
access such information, when it is not, and the consequences for willful noncompli- 
ance. In addition, managers, supervisors, and employees should be informed and 
trained regarding their respective responsibilities for safeguarding PII. 

In addition, agencies, including the Department of Homeland Security (DHS ) and 
the Secret Service, can implement several protective measures to control access to 
PII and other sensitive information. As we reported in September 2015, 2 access con- 
trols limit, prevent, or detect inappropriate access to computer resources, including 
PII and other sensitive information, thereby protecting them from unauthorized use, 
modification, disclosure, and loss. These controls include ensuring that only per- 
sonnel with a need to know are authorized access to sensitive information. Agencies 
implement authorization controls by, for example, uniquely identifying all users, pe- 
riodically reviewing system access, disabling accounts of users who no longer need 
access, and assigning the lowest level of permission necessary for a task. 

Agencies should also implement audit and monitoring controls, which establish in- 
dividual accountability, monitor compliance with security policies, and investigate 
security violations. These controls help determine what, when, and by whom specific 
actions have been taken on a system and can be used to monitor users’ access of 
sensitive information, including PII. To implement controls for monitoring access, 
agencies can install software that provides an audit trail or logs of system activity 
that can be used to determine the source of an action or activity. 

Questions From Ranking Member Bennie G. Thompson for Joel C. 

Willemssen 

Question 1. GAO’s September 2015 report on information security speaks directly 
to weaknesses in limiting, preventing, and detecting inappropriate access to com- 
puter resources. Please provide us with examples of what other Federal agencies are 
doing to better monitor inappropriate internal data access. 

Answer. As we reported, 3 agencies can monitor inappropriate data access by im- 
plementing audit and monitoring controls. These controls establish individual ac- 
countability, monitor compliance with security policies, and investigate security vio- 
lations. Audit and monitoring controls help determine what, when, and by whom 
specific actions have been taken on a system and can be used to monitor users’ ac- 
cess to sensitive information such as PII. In March 2015, we reported 4 that the In- 
ternal Revenue Service (IRS) continued to enhance its audit and monitoring capa- 
bility. Specifically, IRS had strengthened the audit and monitoring processes of its 


1 PII is any information that can be used to distinguish or trace an individual’s identity, such 
as name, date and place of birth, Social Security number, or other types of personal information 
that can be linked to an individual, such as medical, educational, financial, and employment 
information. 

2 GAO, Federal Information Security: Agencies Need to Correct Weaknesses and Fully Imple- 
ment Security Programs, GAO-15—714 (Washington, DC: Sept. 29, 2015). 

3 GAO-15-714. 

4 GAO, Information Security: IRS Needs to Continue to Improve Controls over Financial and 
Taxpayer Data, GAO-15—337 (Washington, DC: Mar. 19, 2015). 
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mainframe by enabling the monitoring of changes to certain controls over the man- 
agement of data. 

In addition, the Treasury Inspector General for Tax Administration (TIGTA) mon- 
itors access and refers instances of willful unauthorized inspection of taxpayer data 
for administrative actions or prosecution. For example, according to TIGTA, for fis- 
cal years 2014 and 2015, its Office of Investigations successfully prosecuted 15 in- 
vestigations. Seven of the 15 were for violating the Taxpayer Browsing Protection 
Act of 1997. 5 The remaining 8 were prosecuted for unauthorized access related to 
the use of a Government computer. 

Question 2. Your September 2015 report lists 5 different areas of potential weak- 
nesses in agency compliance: Did GAO’s analysis find weaknesses in compliance by 
DHS in any of these 5 areas, and if so, which one(s)? 

Answer. Yes, our analysis of agency, inspector general, and our reports identified 
weaknesses at DHS for all 5 areas. These areas included controls intended to: (1) 
Limit unauthorized access to agency systems and information; (2) ensure that soft- 
ware and hardware are authorized, updated, monitored, and securely configured; (3) 
appropriately divide duties so that no single person can control all aspects of a com- 
puter-related operation; (4) establish plans for continuing information system oper- 
ations in the event of a disaster, and (5) provide a security management framework 
for understanding risks and ensuring that controls are selected, implemented, and 
operating as intended. 

Question 3. Earlier this year, GAO released a report stating that OMB, in con- 
sultation with DHS, should enhance its security program reporting guidance and lo- 
cated information security weaknesses. Speak to your findings as it relates to this 
particular data leak. What improvements should DHS, and in particular the Secret 
Service, implement in areas of access control, segregation of duties, and security 
management? 

Answer. Our findings do not specifically address the incident that occurred at the 
Secret Service. However, the Federal Information Security Modernization Act of 
2014 (FISMA) 6 now requires OMB to include in its annual report to Congress a 
summary of major agency information security incidents, such as the incident at the 
Secret Service. 

In September 2015, we reported 7 on the adequacy of the information security poli- 
cies and practices of the 24 agencies covered by the Chief Financial Officers (CFO) 
Act of 1990. 8 Like most other agencies, DHS had weaknesses in each of the 5 con- 
trol areas we track, including access controls, segregation of duties, and security 
management. 

To improve their access controls, DHS and the Secret Service should ensure the 
enforcement of the principle of “least privilege,” where employees are granted the 
minimum level of access necessary to perform their duties. DHS and the Secret 
Service should also ensure that incompatible duties are separated and that employ- 
ees understand their responsibilities. Separation of duties can be implemented 
through formal operating procedures, supervision, and reviewing access authoriza- 
tions, among other things. 

To improve security management activities, both DHS and the Secret Service 
should ensure that they fully implement entity-wide information security programs 
so that risks are understood and that effective controls are selected, implemented, 
and operating as intended. 

Question 4. Can you confirm that given the scope of GAO’s engagement, analysts 
collected information with regard to information-security compliance by the Depart- 
ment of Homeland Security overall, and did not collect any information with regard 
to Secret Service practices specifically? 


5 The Taxpayer Browsing Protection Act was enacted on August 5, 1997, and made willful un- 
authorized inspection of taxpayer data illegal. Pub. L. 105—35, 111 Stat. 1104 (1997). 

6 The Federal Information Security Modernization Act of 2014 was enacted as Pub. L. No. 
113-283 (Dec. 18, 2014). FISMA 2014 largely supersedes the very similar Federal Information 
Security Management Act of 2002 (FISMA 2002), Pub. L. No. 107-347, Title III (Dec. 17, 2002), 
and expands the role and responsibilities of the Department of Homeland Security, but retains 
many of the requirements for Federal agencies’ information security programs previously set by 
the 2002 law. 

7 GAO-15-714. 

8 The 24 Chief Financial Officers Act agencies are the Departments of Agriculture, Commerce, 
Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and 
Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Vet- 
erans Affairs; the Environmental Protection Agency; General Services Administration; National 
Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Com- 
mission; Office of Personnel Management; Small Business Administration; Social Security Ad- 
ministration; and the U.S. Agency for International Development. 
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Answer. As part of our audit of Federal agencies’ implementation of the provisions 
of FISMA, we collected information on the information security efforts of the 24 Fed- 
eral agencies covered by the CFO Act, including DHS. However, we did not collect 
or receive any information regarding specific security practices at the Secret Service. 

Question 5. Does it seem reasonable to you to conclude that Secret Service faces 
some of the management challenges highlighted in the latest High-Risk Update, and 
that leaders of the Secret Service must demonstrate the “continued perseverance” 
in improving agency management culture that the Comptroller General calls for in 
the Update? 

Answer. Yes, it would be reasonable to conclude that the Secret Service faces 
some of the same management challenges. For example, in the most recent update 
to our High-Risk series 9 we lauded DHS’s progress in strengthening its manage- 
ment functions, but concluded that the Department still faces significant manage- 
ment challenges. Such challenges include improving employee morale, a challenge 
that the Secret Service could also face with its employees. 

For example, according to the Partnership for Public Service’s 2015 rankings of 
the Best Places to Work in the Federal Government, the Secret Service ranked 319 
of 320 agency subcomponents Government- wide. Additionally, according the Part- 
nership for Public Service’s analysis of Federal Employee Viewpoint Survey data, 
employee satisfaction and commitment among Secret Service employees consistently 
declined from fiscal year 2011 through fiscal year 2015. 

Question 6. In your testimony, you state that this particular improper data access 
is the most common among agencies — too many individuals having access to a broad 
range of data unrelated to their job responsibilities. What solutions are available to 
fix this broad information access and better monitor employees’ use of data systems? 

Answer. In September 2015, we reported 10 that 22 of the 24 CFO Act agencies 
had weaknesses with limiting, preventing, and detecting unauthorized access to 
agency systems and information. Specifically, 18 agencies had weaknesses in con- 
trols that are intended to limit user access to only that necessary for performing 
their work. When granting access to users, agencies should provide only the min- 
imum access necessary for performing their duties. In addition, agencies should im- 
plement audit and monitoring controls to monitor users’ access of sensitive informa- 
tion such as PII. These controls can help determine what, when, and by whom spe- 
cific actions have been taken on a system. 

Questions From Chairman James Lankford for Joel C. Willemssen 

Question la. Your testimony reflects that the Social Security Agency has personal 
identifying information (PII) on nearly every U.S. citizen, and that agencies such as 
the VA, Department of Education, and CFPB also house substantial amounts of PII. 

What are the most effective means for auditing employee access of PII at these 
agencies? 

Answer. As we reported in September 2015, 11 agencies should use audit and mon- 
itoring controls to establish individual accountability, monitor compliance with secu- 
rity policies, and investigate security violations. These controls help determine 
what, when, and by whom specific actions have been taken on a system and can 
be used to monitor users’ access of sensitive information, such as personally identifi- 
able information (PII). 12 

To monitor users’ access and actions, agencies can install software that provides 
an audit trail or logs of system activity that can be used to determine the source 
of an action or activity. Agencies can also monitor users’ access by implementing 
other technologies such as network- and host-based intrusion detection systems, se- 
curity event correlation tools, and computer forensics. Network-based intrusion de- 
tection systems capture or “sniff’ and analyze network traffic in various parts of a 
network. 

Question lb. Which Government-wide, unimplemented GAO recommendations 
concerning PII protection should be put into place first? 

Answer. We currently have 1 Government-wide PH-related recommendation 
whose implementation status we are evaluating. This recommendation was made to 


9 GAO, High-Risk Series: An Update, GAO— 15-290 (Washington, DC: Feb. 11, 2015). 

10 GAO-15-714. 

11 GAO, Federal Information Security: Agencies Need to Correct Weaknesses and Fully Imple- 
ment Security Programs, GAO-15—714 (Washington, DC: Sept. 29, 2015). 

12 PII is any information that can be used to distinguish or trace an individual’s identity, such 
as name, date and place of birth, Social Security number, or other types of personal information 
that can be linked to an individual, such as medical, educational, financial, and employment 
information. 
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the Office of Management and Budget (OMB) in our 2013 report 13 regarding our 
finding that the 8 agencies we reviewed had inconsistently implemented data breach 
policies and procedures. We recommended that, to improve the consistency and ef- 
fectiveness of Government-wide data breach response programs, OMB should up- 
date its guidance on Federal agencies’ responses to PH-related data breaches. OMB 
neither agreed nor disagreed with our recommendation. 

According to OMB, it has set a date of March 16, 2016, for updating its PII protec- 
tion guidance to reflect current best practices and recent lessons learned regarding 
privacy protections and data breach standards. 

Question 2a. You testified that it was perplexing to you why the Secret Service 
would still have PII information on Congressman Chaffetz from 2003, given the Na- 
tional Archives and Records Administration (NARA) requirement to properly dispose 
of such information once it is no longer needed. 

How well are agencies complying with the NARA requirements to dispose or ar- 
chive personal information once it is no longer needed? 

Answer. We have not performed work specifically addressing the extent to which 
agencies are complying with the National Archives and Records Administration’s 
(NARA) requirements for disposing or archiving personnel information that is no 
longer needed. However, in May 2015, we reported that Federal agencies took ac- 
tions toward implementing requirements set forth in a NARA and OMB joint direc- 
tive on managing Government records. 14 To illustrate: 

• Twenty-three of the 24 Federal agencies we reviewed implemented the require- 
ment to develop and begin implementing plans to manage all permanent 
records in an electronic format. 

• Twenty-one of these 24 agencies implemented the requirement to identify for 
transfer and reporting those permanent records in existence for more than 30 
years. 

• Twenty of the 24 agencies implemented the requirement to identify all unsched- 
uled records that have not been properly scheduled. 15 

Nevertheless, 5 agencies we reviewed did not fully meet those requirements, and 
we recommended that they and NARA take certain corrective actions. We did not 
make any recommendations to the Department of Homeland Security (DHS). 

Question 3a. Under the Federal Information Security Modernization Act of 2014 
(FISMA) the Office of Management and Budget (OMB) is required to maintain over- 
sight responsibilities of Federal information security programs and ensure minimum 
security requirements for Government-wide information security programs and 
practices. 

What is your assessment of OMB’s fulfillment of these responsibilities over the 
last several years? 

Answer. During the 12 years from when the Federal Information Security Man- 
agement Act of 2002 (FISMA 2002) was enacted into law to when it was largely re- 
placed by FISMA 2014, 16 Executive branch oversight of agency information security 
has evolved. As part of its FISMA 2002 oversight responsibilities, OMB issued an- 
nual instructions for agencies and inspectors general to meet FISMA 2002 reporting 
requirements. During that time we made recommendations to OMB for improving 
its oversight of agencies’ security programs. For example, in 2013 we rec- 
ommended 17 that OMB and DHS provide insight into agencies’ security programs 
by developing additional metrics for key security areas such as those for periodically 
assessing risk and developing subordinate security plans. We also recommended 
that metrics for FISMA reporting be developed to allow inspectors general to report 
on the effectiveness of agencies’ information security programs. OMB generally 


13 GAO, Information Security: Agency Responses to Breaches of Personally Identifiable Infor- 
mation Need to Be More Consistent, GAO— 14-34 (Washington, DC: Dec. 9, 2013). 

14 GAO, Information Management: Additional Actions Are Needed to Meet Requirements of the 
Managing Government Records Directive, GAO— 15-339 {Washington, DC: May 14, 2015). 

15 Scheduling is the means by which agencies identify Federal records, determine time frames 
for their disposition, and identify permanent records of historical value that are to be trans- 
ferred to NARA for preservation and archiving. Unscheduled records are those records that have 
not had their value assessed or their disposition determined. 

16 The Federal Information Security Modernization Act of 2014 was enacted as Pub. L. No. 
113-283 (Dec. 18, 2014). FISMA 2014 largely supersedes the very similar Federal Information 
Security Management Act of 2002 (FISMA 2002), Pub. L. No. 107-347, Title III (Dec. 17, 2002), 
and expands the role and responsibilities of the Department of Homeland Security, but retains 
many of the requirements for Federal agencies’ information security programs previously set by 
the 2002 law. 

17 GAO, Federal Information Security: Mixed Progress in Implementing Program Components; 
Improved Metrics Needed to Measure Effectiveness, GAO— 13— 776 (Washington, DC: Sept. 26, 
2013). 



85 


agreed with our recommendations. DHS also agreed with our recommendations and 
identified the actions it had taken or planned to take to address them. 

In February 2013, we reported 18 that when OMB transferred several of its over- 
sight responsibilities to DHS through a joint memorandum, 19 it was not clear how 
the two organizations would share these responsibilities. In that report, we sug- 
gested that Congress consider legislation to better define roles and responsibilities 
for implementing and overseeing Federal information security programs. In Decem- 
ber 2014, Congress passed FISMA 2014 to improve cybersecurity and clarify cyber- 
security oversight roles and responsibilities, among other things. 

FISMA 2014 is intended to address the increasing sophistication of cybersecurity 
attacks, promote the use of automated security tools with the ability to continuously 
monitor and diagnose the security posture of Federal agencies, and provide for im- 
proved oversight of Federal agencies’ information security programs. The act also 
clarifies and assigns additional responsibilities to OMB, DHS, and Federal Execu- 
tive branch agencies. 

In carrying out its FISMA responsibilities, OMB has increased its efforts to over- 
see agencies’ implementation of information security. For example, OMB created the 
Cyber and National Security Team, called the E-Gov Cyber Unit, to strengthen Fed- 
eral cybersecurity through targeted oversight and policy issuance. In September 
2015, we reported that OMB, along with DHS, had increased oversight and assist- 
ance to Federal agencies in implementing and reporting on information security pro- 
grams. 20 

In June 2015, in response to the Office of Personnel Management security 
breaches and to protect Federal systems from emerging threats, the Federal Chief 
Information Officer launched a 30-day Cybersecurity Sprint. 21 As part of this effort, 
the Federal Chief Information Officer instructed Federal agencies to immediately 
take a number of steps to further protect Federal information and assets and to im- 
prove the resilience of Federal networks. 

Most recently, in October 2015, OMB issued a cybersecurity strategy implementa- 
tion plan that is intended to strengthen Federal civilian agencies’ cybersecurity. 22 
The plan is to address Government-wide cybersecurity gaps through five objectives: 
(1) Prioritized identification and protection of high-value information and assets; (2) 
timely detection of and rapid response to cyber incidents; (3) rapid recovery from 
incidents when they occur and accelerated adoption of lessons learned from the Cy- 
bersecurity Sprint assessment; (4) recruitment and retention of the most highly- 
qualified cybersecurity workforce; and (5) efficient and effective acquisition and de- 
ployment of existing and emerging technology. The plan address our recommenda- 
tion that the White House develop an overarching strategy for improving cybersecu- 
rity. 23 

Question 3b. What GAO findings regarding OMB’s oversight of Government-wide 
information security programs demonstrate the greatest risks for exposure of PII? 

Answer. As previously mentioned, we reported 24 that the 8 Federal agencies we 
reviewed generally developed, but inconsistently implemented, policies and proce- 
dures for responding to data breaches involving PII that addressed key practices 
specified by OMB and the National Institute of Standards and Technology. We at- 
tributed agencies’ inconsistent implementation of data breach policies and proce- 
dures to incomplete guidance from OMB. 

Also, in 2012, we reiterated 25 our previous finding reported in 2008 26 that while 
the Privacy Act, the E-Government Act, and related OMB guidance set minimum 


18 GAO, Cybersecurity: National Strategy, Roles, and Responsibilities Need to Be Better Defined 
and More Effectively Implemented, GAO— 13-187 {Washington, DC: Feb. 14, 2013). 

19 OMB, Memorandum M-10— 28, Clarifying Cybersecurity Responsibilities and Activities of the 
Executive Office of the President and the Department of Homeland Security {Washington, DC: 
July 6, 2010). 

20 GAO-15-714. 

21 In June 2015, the Federal Chief Information Officer launched the 30-day Cybersecurity 
Sprint, during which agencies were to take immediate actions to combat cyber threats within 
30 days. Actions included patching critical vulnerabilities, tightening policies and practices for 
privileged users, and accelerating the implementation of multi-factor authentication. 

22 OMB, Memorandum M-16— 04, Cybersecurity Strategy and Implementation Plan for the Fed- 
eral Civilian Government (Washington, DC: Oct 30, 2015). 

23 GAO, Cybersecurity: National Strategy, Roles, and Responsibilities Need to Be Better-Defined 
and More Effectively Implemented, GAO— 13-187 {Washington, DC: Feb. 14, 2013). 

24 GAO-14-34. 

25 GAO, Privacy: Federal Law Should Be Updated to Address Changing Technology Land- 
scape, GAO-12— 961T (Washington, DC: July 31, 2012). 

26 GAO, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Infor- 
mation, GAO— 08— 536 (Washington, DC: May 19, 2008). 
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requirements for agencies, such laws and guidance may not consistently protect PII 
in all circumstances of its collection and use throughout the Federal Government 
and may not fully adhere to key privacy principles. We stressed that unilateral ac- 
tion by OMB might not be the best way to strike an appropriate balance between 
the Government’s need to collect, process, and share personally identifiable informa- 
tion and the rights of individuals to know about such collections and be assured that 
they are only for limited purposes and uses. We suggested that Congress consider 
amending applicable laws such as the Privacy Act and E-Government Act by: 

• revising the scope of the laws to cover all PII collected, used, and maintained 
by the Federal Government; 

• setting requirements to ensure that the collection and use of personally identifi- 
able information is limited to a stated purpose; and 

• establishing additional mechanisms for informing the public about privacy pro- 
tections by revising requirements for the structure and publication of public no- 
tices. 

o 



